Manage Certificates on your Hybrid Servers using Azure Arc Key Vault Extension
Published Feb 17 2021 02:47 AM 19.8K Views
Microsoft

Managing certificates is an important scenario when it comes to server management. You want to make sure you can roll out certificates to your servers and manage these from a central place. In a pure on-premises environment, we have done this for example by using Group Policies (GPOs). But if you want to run this in a hybrid cloud environment, where machines are not only in your own datacenter but also running at different edge locations or even other cloud providers, where machines in some cases are not even are domain-joined? Here is where Azure Arc can help you with, Azure Arc enabled servers allows you to manage your Linux and Windows Servers directly from the Azure control plane, and with the new Azure Arc Key Vault extension, you can also manage certificates on these machines.

 

Since Azure Arc enabled Servers have a managed identity, you can use that managed identity not just for your applications, but also for extensions and accessing Azure Key Vault.

 

Instead of individually copying the certificate to each machine, the PKI admin just has to upload or generate certificates in a Key Vault and configure which servers are allowed to download them. Then, the server admin deploys the Azure Key Vault extension to their servers (the same extension works for both Azure and Arc enabled servers) and specifies which certificates should be installed on the server, and how frequently the server should check for updates. From there, the extension takes care of the rest. It uses the unique managed identity assigned to every Arc enabled server to authenticate to Azure Key Vault and download the certificates. When it comes time to renew a certificate, the PKI admin only needs to update the copy in Key Vault. The extension will take care of downloading it to each server automatically.

 

Azure Arc Enabled Server Key Vault ExtensionAzure Arc Enabled Server Key Vault Extension

Getting started with the Azure Key Vault extension for Arc enabled servers

This extension is currently in preview, and you can find more information about it here in the announcement blog post by Ryan Puffer (Program Manager for Azure Arc enabled server).

 

Prerequisites 

To get started, you will need the following:

  • An Azure Arc enabled server running supported versions of Linux or Windows server. You can follow these simple steps to add a server to Azure Arc.
  • An Azure Key Vault with at least one certificate. If you want to quickly create a certificate in Azure Key Vault, check out the following tutorial on Microsoft Docs.
    Certificate in Azure Key VaultCertificate in Azure Key Vault

     

  • To deploy the extension you will need the Azure Connected Machine PowerShell module (Az.ConnectedMachine) which you can run and install on your local admin machine or in Azure Cloud Shell by using the following command:
    Install-Module Az.ConnectedMachine

 

Set up and deploy the Key Vault extension to Azure Arc

 

Set permission to the Key Vault so the Arc enabled server has a system-assigned managed identity that can access it. 

You can configure permissions on your vault by going to it in the Azure Portal, clicking Access policies in the navigation pane, and then Add Access Policy. In the Secret permissions drop down, tick the boxes for Get and List. Then, next to Select Principal, click None selected to open the AAD object picker. Search for your Arc enabled server by its name, click it, then click Select. Click Add to finish configuring the Arc enabled server's permissions then click Save to commit the change.

 

If you're using the Azure Key Vault RBAC, grant the Arc enabled server the Key Vault Secrets User role in Access control (IAM) for the vault.

 

Deploy the Azure Arc Key Vault extension

Now you can deploy the extension to the server. For that run this command on your admin workstation with Azure PowerShell or Azure Cloud Shell and the Az.ConnectedMachine module installed.

 

 

 

$Settings = @{
  secretsManagementSettings = @{
    observedCertificates = @(
      "https://YOURVAULTNAME.vault.azure.net/secrets/YOURCERTIFICATENAME"
      # Add more here in a comma separated list
    )
    certificateStoreLocation = "LocalMachine"
    certificateStoreName = "My"
    pollingIntervalInS = "3600" # every hour
  }
  authenticationSettings = @{
    # Don't change this line, it's required for Arc enabled servers
    msiEndpoint = "http://localhost:40342/metadata/identity"
  }
}

$ResourceGroup = "ARC_SERVER_RG_NAME"
$ArcMachineName = "ARC_SERVER_NAME"
$Location = "ARC_SERVER_LOCATION (e.g. eastus2)"

New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForWindows" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForWindows" -Setting (ConvertTo-Json $Settings)

 

 

 

In my case this looked something like this:

 

 

 

$Settings = @{
  secretsManagementSettings = @{
    observedCertificates = @(
      "https://toms-awesomearc-keyvault.vault.azure.net/secrets/TomsAwesomeCert"
      # Add more here in a comma separated list
    )
    certificateStoreLocation = "LocalMachine"
    certificateStoreName = "My"
    pollingIntervalInS = "3600" # every hour
  }
  authenticationSettings = @{
    # Don't change this line, it's required for Arc enabled servers
    msiEndpoint = "http://localhost:40342/metadata/identity"
  }
}

$ResourceGroup = "toms-azurearcservers-rg"
$ArcMachineName = "TOMSVM"
$Location = "westeurope"

New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForWindows" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForWindows" -Setting (ConvertTo-Json $Settings)

 

 

When the extension has finished installing you should see your certificate on your Azure Arc enabled server.

 

Certificate on local machine deployed by Azure Arc Key Vault extensionCertificate on local machine deployed by Azure Arc Key Vault extension

 

For Linux machines you can run the following to deploy the extension:

 

 

$Settings = @{
  secretsManagementSettings = @{
    observedCertificates = @(
      "https://YOURVAULTNAME.vault.azure.net/secrets/YOURCERTIFICATENAME"
      # Add more here, don't forget a comma on the preceding line
    )
    # The cert store location is optional, the default path is shown below
    # certificateStoreLocation = "/var/lib/waagent/Microsoft.Azure.KeyVault.Store/"
    pollingIntervalInS = "3600" # every hour
  }
  authenticationSettings = @{
    msiEndpoint = "http://localhost:40342/metadata/identity"
  }
}

$ResourceGroup = "ARC_SERVER_RESOURCE_GROUP_NAME"
$ArcMachineName = "ARC_SERVER_NAME"
$Location = "ARC_SERVER_LOCATION (e.g. eastus2)"

New-AzConnectedMachineExtension -ResourceGroupName $ResourceGroup -MachineName $ArcMachineName -Name "KeyVaultForLinux" -Location $Location -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultForLinux" -Setting (ConvertTo-Json $Settings)

 

 

 

Conclusion

Azure Arc enabled servers is a great way to manage your servers in a hybrid and multi-cloud environment. With the new Key Vault extensions (preview) Azure Arc makes it easy to manage certificates on servers you need to manage, where every they are deployed in a secure way.

 

If you want to learn more check out the following links:

 

You can also watch the ITOps Talks All Thing Hybrid, where I had the chance to talk with Ryan about Azure Arc enabled Servers.

 

 

If you have any questions feel free to leave a comment.

 

7 Comments
Co-Authors
Version history
Last update:
‎Feb 17 2021 02:46 AM
Updated by: