After creating your DigiCert CertCentral API Key and gathered your Organization ID and CertCentral Account ID, you can begin ordering your DigiCert SSL/TLS certificates from your Azure Key Vault account.
To order your certificates, use Azure PowerShell version 2.1.0. If you don’t have this version of PowerShell, you can access it here: https://github.com/Azure/azure-powershell/releases/tag/v2.1.0-September2016.
If you run into problems while running these Azure PowerShell commands, please contact your Microsoft account representative.
The Azure Key Vault to CertCentral integration only supports ordering SSL/TLS certificates.
The variables in these instructions have been assigned sample values for use as reference. Please change the values appropriately.
Open a new PowerShell window and run this command to log in to your Azure Key Vault account.
Login-AzureRMAccount
If you already have a resource group you can use, you don't need to create a new one.
Define $resourceGroupName
and $resourceGroupLocation
variables
Run these commands to define your variables.
$resourceGroupName = "myResourceGroup"
$resourceGroupLocation = "West Us"
Create resource group
Using the defined variables, run this command to create the resource group.
New-AzureRMResourceGroup -Name $resourceGroupName -Location $resourceGroupLocation
If you already have a vault you can use, you don't need to create a new one.
Define $vaultName
and $vaultLocation
variables
Run these commands to define your variables.
$vaultName = "myVaultName"
$vaultLocation = "West Us"
Create vault
Using the defined variables, run this command to create the vault.
New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $vaultLocation -Sku Premium
Run the command below to create an organization for the issuer. This command also creates a $org
variable to use in other commands later.
$org = New-AzureKeyVaultCertificateOrganizationDetails -Id OrganizationIDfromDigiCertAccount
Run this command to create and define the $secureAPIKey
variable.
$secureApiKey = ConvertTo-SecureString DigiCertCertCentralAPIKey -AsPlainText –Force
This step creates the connection between your Azure Key Vault account and your DigiCert CertCentral account.
Define $accountId
and $issuerName
variables
Run these commands to define your variables.
$accountId = "myDigiCertCertCentralAccountID"
$issuerName = "MyIssuerName"
Create issuer
Using the defined variables, run this command to create an issuer.
Set-AzureKeyVaultCertificateIssuer -VaultName $vaultName -IssuerName $issuerName -IssuerProvider DigiCert -AccountId $accountId -ApiKey $secureApiKey -OrganizationDetails $org
Using the defined variables, run the command below to create a policy. This command also creates a $certificatePolicy
variable to use in other commands later.
$certificatePolicy = New-AzureKeyVaultCertificatePolicy -SecretContentType application/x-pkcs12 -SubjectName "CN=myCommonName.com" -ValidityInMonths 12 -IssuerName $issuerName -RenewAtNumberOfDaysBeforeExpiry 60
Define $certificateName
variable
Run this command to define your variable.
$certificateName = "myCertificateName"
Request your SSL/TLS certificate
Using the defined variables, run this command to request an SSL/TLS certificate.
Add-AzureKeyVaultCertificate -VaultName $vaultName -CertificateName $certificateName -CertificatePolicy $certificatePolicy
Using the defined variables, run the command below to check the status of your certificate request to see if it is "complete".
Get-AzureKeyVaultCertificateOperation -VaultName $vaultName -CertificateName $certificateName
Using the defined variables, run the command below to access your issued SSL/TLS certificate.
Get-AzureKeyVaultCertificate -VaultName $vaultName -CertificateName $certificateName