Azure - Certificate Authority

Occasional Contributor


I was looking for any documentation on how Azure Key Vault can be integrated into an internal CA?

I have read information on KV being integrated with 3rd party issues, such as DigiCert, but I was wondering how to do this with a traditional Windows Server running as a CA?

5 Replies

@miksingh can you describe your use case in detail?


Are you just talking about generating new certs and storing them in key vault or managing their lifecycle, renewals, etc.?

Also, where do you intend to use these self-signed certs?


You can generate your CSR in Key Vault and get them signed by an internal CA, that's a scenario I can confirm is working. It's not automatically signed like you would have with Digicert, it it works.

Keep in mind your Certificate Revocation List and CA might not be accessible from other Azure services. You could get some warnings on the certificate validity.

Hope it helps!



Hi actually this feature is not supported but you can vote Active Directory Certificate Service as external CA Provider – Customer Feedback for ACE Community T...


It's possible also to generate a new certificate from a key vault  by using the option 

Certificate issued by a non integrated CA 

At the end of the process you can download the certificate signing request .Then you can submit the CSR . The process to sign and save the file is described below: 

Sign the CSR with Microsoft Certificate Services (




I went to upvote this because I was wondering the same thing and can think of a variety of scenarios where having an Active Directory CA Provider integrated with Key Vault for automatic Cert Rotation would be valuable for my a variety of solutions we are planning for will be "internal only" applications/services.

Apparently this feedback site is no longer accessible? So where would we go to support the idea as a feature request/enhancement?
I am wanting to get rid of my Windows Active Directory services and go all in with Microsoft 365/Azure. However, I have a need to generate certificates, which implies Windows Active Directory Certificate Service. I don't see such CA within Azure that we can make use for generating certificates, e.g., Hopefully someone is still reading this and can point me to the right place.