Azure key vault - Configure certificate autorotation
An Azure Key Vault provides the capability for you to easily provision, manage, and deploy your digital certificates. In this article, you can update your certificate’s validity period, auto-rotation frequency, email notification contacts and CA attributes.
The certificates can be public or private SSL / TLS certificates which may be:
A self-signed certificate, A certificate created with a non-partner CA with Key Vault,
A certificate created with a partner CA with Key Vault, A Key Vault can request and renew / auto-rotate certificates through established CA partners such as DigiCert and GlobalSign, providing a robust solution for certificate lifecycle management. This auto-rotation capability is not applicable for certificates created with non-partner CAs.
Partner certificate authority (CA) The following CAs are currently partnered providers with Key Vault: DigiCert: Key Vault offers OV or EV TLS/SSL certificates. GlobalSign: Key Vault offers OV or EV TLS/SSL certificates.
Auto-rotation
Auto-rotation can be configured on your certificate’s lifecycle attributes at the same time while you create your certificate or at a later stage.
Updating certificate lifecycle attributes while creating a new certificate
Go to Key Vault > Certificates
Select Generate/Import
Create a certificate screen, update the following values:
Validity Period: Update the value (in months).
Lifetime Action Type (Select the certificate’s auto-renewal and alerting action and then update percentage lifetime or Number of days before expiry. By default, a certificate’s auto-renewal is set at 80 percent of its lifetime)
Create
Updating certificate lifecycle attributes on an existing stored certificate
Go to Key Vault > Certificates
Select the certificate you want to update > Select?Issuance Policy
On the Issuance Policy screen, update the following values:
Validity Period: Update the value (in months).
领英推荐
Lifetime Action Type:
Select the certificate’s auto-renewal and alerting action – based on either percentage or defined by days
(Changing the Lifetime Action Type for a certificate will record modifications for the existing certificates immediately.)
Update the percentage lifetime or Number of days before expiry > Save
If you choose to configure an Azure Key Vault Certificate Policy then you may either click on Advanced Policy Configuration?link or configure the policy via PowerShell as per below.
Adding new certificate contacts
If you want to add a contact to the specified vault to receive notifications of certificate operations.
Get a full list of contacts for your key vault:
az keyvault certificate contact list --vault-name "vaultname"
az keyvault certificate contact add --email [email protected] --vault-name "allen-kv1" --name "Allen Visser" --phone "+2782 000 000"
Verify the full list of contacts added to your key vault:
#I hope this article simplified the configuration of updating your certificate’s validity period, auto-rotation frequency, configuring email notification contact and CA attributes.#
Cloud & Infrastructure Architect | Hybrid & Multi-Cloud
1 个月Awesome usefully tips
Security Architecture | Security Governance | Azure | Microsoft Defender | Sentinel SIEM
1 个月Very helpful