Skip to main content

Azure Key Vault

Link to Azure to import and deliver certificates to your key vaults.

Before you begin

You need an active DigiCert sensor with the latest software version to establish and manage the connection to Azure. To learn more, see Deploy and manage sensors.

In Azure:

  • Note the Tenant ID of the Azure tenant that contains the key vaults you want to connect to. If the tenant has more than one subscription, note the applicable Subscription ID as well.

  • Register an application for Trust Lifecycle Manager and assign it the minimum required roles of Key Vault Certificates Officer and Key Vault Secrets User with minimum scope Resource Group. Note the Application (client) ID.

  • On the Certificates & secrets page for the registered application, select New client secret to create a secret for accessing the application. Copy and save the secret Value in a secure location.

Add Azure Key Vault connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Vaults section, select the tile for Azure Key Vault.

    Complete the resulting form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to manage the integration.

  5. Enter the Azure access details in the Link account section:

    • Tenant ID: Enter the ID of the Azure tenant with the key vaults to connect to.

    • Subscription ID: If the Azure tenant maps to multiple subscriptions, enter the ID for the subscription with the key vaults in it. This field is optional if your Azure tenant only has a single subscription.

    • Client ID: Enter the client ID for the application you registered in Azure for Trust Lifecycle Manager access. The application must have minimum required roles of Key Vault Certificates Officer and Key Vault Secrets User and minimum scope Resource Group.

    • Client secret: Enter a valid client secret value for the registered application with the above ID.

  6. In the Vault object naming option section, verify or update the selection for how to name certificates delivered to your key vaults:

    • Unique names (default): Assigns a unique identifier to every certificate.

    • Common names (versioning): Names certificates based on their common names to keep them grouped together over time as new versions of a certificate get issued and delivered.

  7. Fill out the Import attributes section if you want to import existing certificates from the connected key vaults:

    • Toggle On to enable imports.

    • If enabled, Trust Lifecycle Manager imports all certificates from the vaults. Check the box if you do not want to import expired certificates.

    • (Optional) Assign a business unit and/or tags to the imported certificates to help manage them in Trust Lifecycle Manager.

    • Select the Import frequency at which Trust Lifecycle Manager checks for new certificates to import from Azure. The default is once every 24 hours.

  8. Select Add to create the Azure Key Vault connector with the configured settings.

Belangrijk

Each Azure Key Vault connector corresponds to a single Azure subscription. To integrate key vaults under multiple subscriptions, you must add multiple connectors, one for each subscription ID.

What's next

Go to the Integrations > Connectors page to view, check status, or manage your Azure Key Vault connectors.

See Request new certificates with vault delivery to learn how to enroll and deliver new certificates to your connected key vaults.