Forum Discussion

miksingh's avatar
miksingh
Copper Contributor
Feb 02, 2021

Azure - Certificate Authority

Hi, 

I was looking for any documentation on how Azure Key Vault can be integrated into an internal CA?

I have read information on KV being integrated with 3rd party issues, such as DigiCert, but I was wondering how to do this with a traditional Windows Server running as a CA?

5 Replies

  • CutlerTS's avatar
    CutlerTS
    Brass Contributor
    Jun 16, 2022
    I am wanting to get rid of my Windows Active Directory services and go all in with Microsoft 365/Azure. However, I have a need to generate certificates, which implies Windows Active Directory Certificate Service. I don't see such CA within Azure that we can make use for generating certificates, e.g., host.company.local. Hopefully someone is still reading this and can point me to the right place.
  • ibnmbodji's avatar
    ibnmbodji
    Iron Contributor
    Feb 06, 2021

    miksingh 

     

    Hi actually this feature is not supported but you can vote Active Directory Certificate Service as external CA Provider – Customer Feedback for ACE Community Tooling (azure.com)

     

    It's possible also to generate a new certificate from a key vault  by using the option 

    Certificate issued by a non integrated CA 

    At the end of the process you can download the certificate signing request .Then you can submit the CSR . The process to sign and save the file is described below: 

    Sign the CSR with Microsoft Certificate Services (akamai.com)

     

     

     

    • michaeladams's avatar
      michaeladams
      Copper Contributor
      Oct 06, 2021
      I went to upvote this because I was wondering the same thing and can think of a variety of scenarios where having an Active Directory CA Provider integrated with Key Vault for automatic Cert Rotation would be valuable for my business....as a variety of solutions we are planning for will be "internal only" applications/services.

      Apparently this feedback site is no longer accessible? So where would we go to support the idea as a feature request/enhancement?
  • cstainie's avatar
    cstainie
    Copper Contributor
    Feb 02, 2021
    Hi,

    You can generate your CSR in Key Vault and get them signed by an internal CA, that's a scenario I can confirm is working. It's not automatically signed like you would have with Digicert, it it works.

    Keep in mind your Certificate Revocation List and CA might not be accessible from other Azure services. You could get some warnings on the certificate validity.

    Hope it helps!
  • Dipesh Arora's avatar
    Dipesh Arora
    Copper Contributor
    Feb 02, 2021

    miksingh can you describe your use case in detail?

     

    Are you just talking about generating new certs and storing them in key vault or managing their lifecycle, renewals, etc.?

    Also, where do you intend to use these self-signed certs?

Resources