Skip to main content

Azure Key Vault

Link DigiCert​​®​​ Trust Lifecycle Manager to Azure Key Vault to import certificates from and deliver certificates to your vaults in the Azure cloud.

Before you begin

DigiCert prerequisites

You need an active DigiCert sensor on your network that can reach both Trust Lifecycle Manager and the Azure tenant with the target key vaults. To learn more, see Deploy and manage sensors.

Azure prerequisites

  • Note the Tenant ID of the Azure tenant that contains the key vaults you want to connect to. If the tenant has more than one subscription, note the applicable Subscription ID as well.

  • Make sure the key vaults have minimum required access roles of Key Vault Certificates Officer and Key Vault Secrets User:

    • Minimum required scope is Resource group. To assign the access roles at this level in Azure, note the name of the resource group that contains the key vaults and select Resource groups > {Resource group name} > Access control (IAM) > Add > Add role assignment.

    • The access roles can also be assigned with Subscription scope. To assign the access roles at this level in Azure, note the name of the subscription that contains the key vaults and select Subscriptions > {Subscription name} > Access control (IAM) > Add > Add role assignment.

      Note

      DigiCert recommends assigning the access roles at the minimum required scope of Resource group. For roles assigned with Subscription scope, Trust Lifecycle Manager has visibility of all key vaults included in that Azure subscription.

  • Register an application for the Trust Lifecycle Manager integration and note the Application (client) ID.

  • On the Certificates & secrets page for the registered application, select New client secret to create a secret for accessing the application. Copy and save the secret Value in a secure location.

Add Azure Key Vault connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Vaults section, select the tile for Azure Key Vault.

    Complete the resulting form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to manage the integration.

  5. Enter the Azure access details in the Link account section:

    • Tenant ID: Enter the ID of the Azure tenant with the key vaults to connect to.

    • Subscription ID: If the Azure tenant maps to multiple subscriptions, enter the ID for the subscription with the key vaults in it. This field is optional if your Azure tenant only has a single subscription.

    • Client ID: Enter the client ID for the application you registered in Azure for Trust Lifecycle Manager access.

    • Client secret: Enter a valid client secret value for the registered application with the above ID.

  6. In the Vault object naming option section, verify or update the selection for how to name certificates delivered to your key vaults:

    • Unique names (default): Assigns a unique identifier to every certificate.

    • Common names (versioning): Names certificates based on their common names to keep them grouped together over time as new versions of a certificate get issued and delivered.

  7. Fill out the Import attributes section if you want to import existing certificates from the connected key vaults:

    • Toggle On to enable imports.

    • If enabled, Trust Lifecycle Manager imports all certificates from the vaults. Check the box if you do not want to import expired certificates.

    • (Optional) Assign a business unit and/or tags to the imported certificates to help manage them in Trust Lifecycle Manager.

    • Select the Import frequency at which Trust Lifecycle Manager checks for new certificates to import from Azure. The default is once every 24 hours.

  8. Select Add to create the Azure Key Vault connector with the configured settings.

Important

Each Azure Key Vault connector corresponds to a single Azure subscription. To integrate key vaults under multiple subscriptions, you must add multiple connectors, one for each subscription ID.

What's next

  • Go to the Integrations > Connectors page to view, check status, or manage your Azure Key Vault connectors.

  • Use the Admin web request function to enroll new certificates with automated delivery to your connected key vaults.