Certificate Management in Azure and GCP: A Brief Look

Certificates play a crucial role in securing communication and controlling access to (web) services. All leading clouds offer a solution for creating, managing, and deploying certificates, with Azure Key Vault and Google Certificate Manager being prominent examples. While certificates are not new — most large organizations run a PKI infrastructure for years— features and products still differ.

Certificates in Azure Key Vaults

Azure Key Vault is Microsoft’s cloud-native service for managing keys, secrets, and certificates, as illustrated in Figure 1 (A). It allows users to either create certificates directly in Azure or upload certificates generated externally (B).

When engineers decide to generate a certificate within Azure, they can choose from three options (C):

• Self-signed certificates. Azure generates these certificates (without any Certificate Authority (CA) signature). Engineers can configure automatic renewal for these certificates to prevent issues from expired ones (D).
• Certificates from integrated Certificate Authorities (CAs) are certificates from dedicated external Certification Authorities, currently, organization-validated certificates from DigiCert or GlobalSign. Microsoft does not act as a CA. Instead, Azure simplifies the process of generating these certificates with the external CAs for Azure-internal use and supports auto-renewal thanks to close integration.
• Certificates from non-integrated CAs. Key Vault can manage certificates obtained from CAs without direct integration with Azure. Azure provides warnings when / before they expire but does not support automatic renewal.

To conclude, key benefits for cloud customers are:

• Transparency: Clear visibility into all company-related certificates.
• Usability: Tight integration with Azure services simplifies the generation, deployments, and management of the certificates.
• Operational Risk Reduction: Features like expiration warnings and auto-renewal minimize the risk of expired certificates resulting in failed authentications and crashing applications.

However, the benefits are only fully valid if all resources and workloads run on Azure and are managed through Azure. In a multi-cloud setup, organizations must reflect whether they want to set up a central key management or, e.g., rely on the various cloud providers for parts of their workload.

Example Use Case: Certificates & Azure App Service

Azure Key Vault certificates are a notable application for usage in Azure App Service, a cloud service streamlining application hosting by providing Azure-managed runtime environments. It allows engineers to focus solely on application code. Verifying identities is a vital security task when these applications communicate and interact with external services – and Azure App Services helps developers separate certificates and their management from the application code with the business logic.

In the Azure Portal, App Service has three certificate-related features and options (Figure 2):

1. Managed Certificates: Microsoft handles creating, validating, and renewing domain-validated certificates (A).
2. Imported Certificates: Engineers can upload externally generated certificates or integrate ones from Azure Key Vault (B). These are typically server certificates that help to establish trust between the application and its users.
3. Public Key Certificates: These are client certificates used by the App Service to prove its identity when interacting with other services (C).

An interesting point here is that Azure has the Key Vault service, but Azure App Service does come with its own additional certificate management features.

Creating Certificates with the Google Certificate Manager

The Google Cloud Platform (GCP) supports companies aiming to create and manage certificates through the GCP Certificate Manager service, which supports three main types of certificates:

• Self-managed certificates (Figure 3, A) are created outside GCP and uploaded to the Certificate Manager by providing the certificate itself and its private key. The customer is entirely responsible for managing the certificate’s lifecycle. A self-managed certificate can be a self-signed, domain-validated, or organization-validated certificate – and even one with extended validation.
• Google-managed public certificates (B) are domain-validated certificates (similar to those provided by Let’s Encrypt). GCP validates domain ownership using DNS or load balancer authorization before signing and issuing the certificate.
• Google-managed private certificates (C) benefit organizations requiring their own ?PKI (Public Key Infrastructure), e.g., for their development and test environments. This Google service might eliminate the need for costly on-prem PKI infrastructure or dedicated specialists because it enables customers to create their own root CA with a hierarchy of subordinated CAs or add subordinated CAs to external CAs. GCP’s Certificate Authority Service and Certificate Authority Pools are essential concepts for such an undertaking.

Google-managed certificates are valid for 90 days, with automatic renewals starting 30 days before expiration.

Use Case: Certificates for GCP Load Balancer

A common use case for GCP certificates is securing communication with application-layer load balancers. When configuring these load balancers not with the unencrypted HTTP protocol but with the encrypted HTTPS (Figure 4, 1), GCP expects a valid certificate (2).

Key Takeaway

Azure, AWS, and GCP are largely interchangeable when running VM workloads, thanks to the standardization of Linux and Windows VMs. However, the differences become more pronounced with cloud-native services, such as the ones related to certificates. While these services offer significant advantages, managing them consistently in a multi-cloud environment presents unique practical challenges. Each cloud provider has distinct features, making establishing and enforcing uniform guidelines across platforms difficult.

This brings IT departments to a critical crossroads:

• Should they adopt a third-party PKI certificate management solution for all cloud environments?
• Should they choose one cloud provider’s solution for managing certificates for their workload in all clouds?
• Should the workload in each cloud rely on the cloud-native certificate management solution of the particular cloud the workload runs on?

Understanding an organization’s unique requirements and long-term objectives is necessary to navigate this decision process effectively and ensure the chosen architecture supports current needs and strategic long-term goals.

?

?