Forum Discussion
Active Directory Certificate Services with Azure Key Vault Virtual HSM
Hi all (an I hope also Microsoft folk in the security and AD CS arenas), With Azure adoption etc and the GA a while ago of Azure Key Vault virtual HSM it seems to me that it would make a signific...
I don’t think there is a CNG/KSP provider to the Azure Key Vault, so AD CA cannot use this directly. This is a problem we had and ended up using AWS Cloud HSMs for our cloud-based key stores
It must be a conscious decision on Microsoft’s part, as you also have the ability to utilise a managed HSM under Key Vault, which makes use of the Marvell Liquid Security HSMs. These are the same as AWS Cloud HSM use, but AWS expose the direct HSM interfaces, Microsoft don’t seem to. I guess Microsoft want to migrate certificate services into Key Vault or other services in Azure and leave AD CS to on-prem
Azure does offer a dedicated HSM (which are Thales Luna HSMs). These HSMs can be used with AD CS but as far as I recall, this option is fairly costly
It must be a conscious decision on Microsoft’s part, as you also have the ability to utilise a managed HSM under Key Vault, which makes use of the Marvell Liquid Security HSMs. These are the same as AWS Cloud HSM use, but AWS expose the direct HSM interfaces, Microsoft don’t seem to. I guess Microsoft want to migrate certificate services into Key Vault or other services in Azure and leave AD CS to on-prem
Azure does offer a dedicated HSM (which are Thales Luna HSMs). These HSMs can be used with AD CS but as far as I recall, this option is fairly costly