Skip to main content

Azure Key Vault connector

Link DigiCert​​®​​ Trust Lifecycle Manager to Azure Key Vault to import certificates from and deliver certificates to your vaults in the Azure cloud.

Before you begin

DigiCert prerequisites

  • You need an active DigiCert sensor on your network that can reach both Trust Lifecycle Manager and the Azure tenant with the target key vaults. To learn more, see Deploy and manage sensors.

  • To use a PAM service to store the client secret for authenticating the connection to Azure, you need a secrets manager connector.

Azure prerequisites

  1. Note the Tenant ID of the Azure tenant that contains the key vaults you want to connect to. If the tenant has more than one subscription, note the applicable Subscription ID as well.

  2. Register an application for the Trust Lifecycle Manager integration and note the Application (client) ID.

  3. On the Certificates & secrets page for the registered application, select New client secret to create a secret for accessing the application. Copy and save the secret Value in a secure location. To authenticate through PAM, add the client secret value to your PAM service and note the vault reference where the credentials are stored.

  4. Make sure the key vaults are configured for role-based access control (RBAC). To enable this permission model for a key vault, open the key vault and select Access configuration > Permission model > Azure role-based access control (recommended).

  5. Make sure the key vaults have minimum required access roles of Key Vault Certificates Officer and Key Vault Secrets User:

    • Minimum required scope is Resource group. To assign the access roles at this level in Azure, note the name of the resource group that contains the key vaults and select Resource groups > {Resource group name} > Access control (IAM) > Add > Add role assignment.

    • The access roles can also be assigned with Subscription scope. To assign the access roles at this level in Azure, note the name of the subscription that contains the key vaults and select Subscriptions > {Subscription name} > Access control (IAM) > Add > Add role assignment.

      Avviso

      DigiCert recommends assigning the access roles at the minimum required scope of Resource group. For roles assigned with Subscription scope, Trust Lifecycle Manager has visibility of all key vaults included in that Azure subscription.

    • For API access, the native client needs the user_impersonation permission specified in Delegated permissions.

Add Azure Key Vault connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Cloud services section, select the tile for Azure Key Vault.

    Complete the resulting form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to manage the integration.

  5. Enter the Azure access details in the Link account section:

    • Tenant ID: Enter the ID of the Azure tenant with the key vaults to connect to.

    • Subscription ID: If the Azure tenant maps to multiple subscriptions, enter the ID for the subscription with the key vaults in it. This field is optional if your Azure tenant only has a single subscription.

    • Client ID: Enter the client ID for the application you registered in Azure for Trust Lifecycle Manager access.

  6. Under Authentication settings, select one of the following options for providing the client secret value for the Azure application:

    • Direct input: Select this option to add the client secret directly to the connector configuration. Enter the client secret value in the field provided. The value is encrypted for secure storage.

    • Secrets manager: Select this option to use the client secret stored in a privileged access management (PAM) service via a secrets manager connector. Configure the following settings:

      1. Secrets manager connector: Select the secrets manager connector for the PAM service that stores the client secret.

      2. Client secret: Enter the vault reference for the client secret in the selected PAM service. The reference format depends on the PAM service:

        • BeyondTrust: Use the format SystemName/AccountName (for example, TLM-Prod-System/My-AKV-credentials).

        • CyberArk: Use the format AccountName (for example, My-AKV-credentials ).

  7. In the Vault object naming option section, verify or update the selection for how to name certificates delivered to your key vaults:

    • Unique names (default): Assigns a unique identifier to every certificate.

    • Common names (versioning): Names certificates based on their common names to keep them grouped together over time as new versions of a certificate get issued and delivered.

  8. Fill out the Import attributes section if you want to import existing certificates from the connected key vaults:

    • Toggle On to enable imports.

    • If enabled, Trust Lifecycle Manager imports all certificates from the vaults. Check the box if you do not want to import expired certificates.

    • (Optional) Assign a business unit and/or tags to the imported certificates to help manage them in Trust Lifecycle Manager.

    • Select the Import frequency at which Trust Lifecycle Manager checks for new certificates to import from Azure. The default is once every 24 hours.

  9. Select Add to create the Azure Key Vault connector with the configured settings.

Importante

Each Azure Key Vault connector corresponds to a single Azure subscription. To integrate key vaults under multiple subscriptions, you must add multiple connectors, one for each subscription ID.

What's next

  • Go to the Integrations > Connectors page to view, check status, or manage your Azure Key Vault connectors.

  • Use the Admin web request function to enroll new certificates with automated delivery to your connected key vaults.

In questa sezione: