Order an SSL/TLS certificate from Key Vault account using Azure PowerShell
After you create the DigiCert CertCentral API key and gather the organization ID and CertCentral account ID, order DigiCert SSL/TLS certificates from the Azure Key Vault account.
To order certificates, use Azure PowerShell version 2.1.0. Download this version from:
https://github.com/Azure/azure-powershell/releases/tag/v2.1.0-September2016.
For problems running these Azure PowerShell commands, contact the Microsoft account representative.
Note
The Azure Key Vault to CertCentral integration only supports ordering SSL/TLS certificates.
The variables in these instructions use sample values for reference. Change the sample values to match the account.
STEP 1: Open PowerShell and log in
Open a new PowerShell window and run this command to log in to the Azure Key Vault account.
Login-AzureRMAccount
STEP 2: Create a resource group
A resource group that already exists does not need re-creation.
Define the
$resourceGroupNameand$resourceGroupLocationvariablesRun these commands to define the variables.
$resourceGroupName = "myResourceGroup" $resourceGroupLocation = "West Us"
Create theresource group
Using the defined variables, run this command to create the resourcegroup.
New-AzureRMResourceGroup -Name $resourceGroupName -Location $resourceGroupLocation
STEP 3: Create a vault
A vault that already exists does not need re-creation.
Define the
$vaultNameand$vaultLocationvariablesRun these commands to define the variables.
$vaultName = "myVaultName" $vaultLocation = "West Us"
Create the vault
Using the defined variables, run this command to create the vault.
New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $vaultLocation -Sku Premium
STEP 4: Create an organization for the issuer
Run this command to create an organization for the issuer. This commandalso creates an $org variable for use in later commands.
$org = New-AzureKeyVaultCertificateOrganizationDetails -Id OrganizationIDfromDigiCertAccount
STEP 5: Create $secureAPIKey variable
Run this command to create and define the $secureAPIKey variable.
$secureApiKey = ConvertTo-SecureString DigiCertCertCentralAPIKey -AsPlainText –Force
STEP 6: Create issuer
This step creates the connection between the Azure Key Vault account and the DigiCert CertCentral account.
Define the
$accountIdand$issuerNamevariablesRun these commands to define your variables.
$accountId = "myDigiCertCertCentralAccountID" $issuerName = "MyIssuerName"
Create theissuer
Using the defined variables, run this command to create an issuer.
Set-AzureKeyVaultCertificateIssuer -VaultName $vaultName -IssuerName $issuerName -IssuerProvider DigiCert -AccountId $accountId -ApiKey $secureApiKey -OrganizationDetails $org
STEP 7: Create policy
Using the defined variables, run this command to create a policy. This command also creates a $certificatePolicy variable for use in later commands.
$certificatePolicy = New-AzureKeyVaultCertificatePolicy -SecretContentType application/x-pkcs12 -SubjectName "CN=myCommonName.com" -ValidityInMonths 12 -IssuerName $issuerName -RenewAtNumberOfDaysBeforeExpiry 60
STEP 8: Request an SSL/TLS certificate
Define the
$certificateNamevariableRun this command to define your variable.
$certificateName = "myCertificateName"
Request the SSL/TLS certificate
Using the defined variables, run this command to request an SSL/TLS certificate.
Add-AzureKeyVaultCertificate -VaultName $vaultName -CertificateName $certificateName -CertificatePolicy $certificatePolicy
STEP 9: Check request status and access your certificate
Using the defined variables, run this command to check whether the certificate request status is complete.
Get-AzureKeyVaultCertificateOperation -VaultName $vaultName -CertificateName $certificateName
Using the defined variables, run this command to access the issued SSL/TLS certificate.
Get-AzureKeyVaultCertificate -VaultName $vaultName -CertificateName $certificateName