Order an SSL/TLS certificate from Key Vault account

Order DigiCert SSL/TLS certificates from your Microsoft Azure Key Vault account

After creating your DigiCert CertCentral API Key and gathered your Organization ID and CertCentral Account ID, you can begin ordering your DigiCert SSL/TLS certificates from your Azure Key Vault account.

To order your certificates, use Azure PowerShell version 2.1.0. If you don’t have this version of PowerShell, you can access it here: https://github.com/Azure/azure-powershell/releases/tag/v2.1.0-September2016.

If you run into problems while running these Azure PowerShell commands, please contact your Microsoft account representative.

The Azure Key Vault to CertCentral integration only supports ordering SSL/TLS certificates.

Order you SSL/TLS certificate using Azure PowerShell

The variables in these instructions have been assigned sample values for use as reference. Please change the values appropriately.

Step 1: Open PowserShell and log in

Open a new PowerShell window and run this command to log in to your Azure Key Vault account.

powershell
Login-AzureRMAccount

Step 2: Create a resource group

If you already have a resource group you can use, you don't need to create a new one.

  1. Define $resourceGroupName and $resourceGroupLocation variables

    Run these commands to define your variables.

powershell
$resourceGroupName = "myResourceGroup"
$resourceGroupLocation = "West Us"
  1. Create resource group

    Using the defined variables, run this command to create the resource group.

powershell
New-AzureRMResourceGroup -Name $resourceGroupName -Location $resourceGroupLocation

Step 3: Create a vault

If you already have a vault you can use, you don't need to create a new one.

  1. Define $vaultName and $vaultLocation variables

    Run these commands to define your variables.

powershell
$vaultName = "myVaultName"
$vaultLocation = "West Us"
  1. Create vault

    Using the defined variables, run this command to create the vault.

powershell
New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $vaultLocation -Sku Premium

Step 4: Create an organization for the issuer

Run the command below to create an organization for the issuer. This command also creates a $org variable to use in other commands later.

powershell
$org = New-AzureKeyVaultCertificateOrganizationDetails -Id OrganizationIDfromDigiCertAccount

Step 5: Create $secureAPIKey variable

Run this command to create and define the $secureAPIKey variable.

powershell
$secureApiKey = ConvertTo-SecureString DigiCertCertCentralAPIKey -AsPlainText –Force

Step 6: Create issuer

This step creates the connection between your Azure Key Vault account and your DigiCert CertCentral account.

  1. Define $accountId and $issuerName variables

    Run these commands to define your variables.

powershell
$accountId = "myDigiCertCertCentralAccountID"
$issuerName = "MyIssuerName"
  1. Create issuer

    Using the defined variables, run this command to create an issuer.

powershell
Set-AzureKeyVaultCertificateIssuer -VaultName $vaultName -IssuerName $issuerName -IssuerProvider DigiCert -AccountId $accountId -ApiKey $secureApiKey -OrganizationDetails $org

Step 7: Create policy

Using the defined variables, run the command below to create a policy. This command also creates a $certificatePolicy variable to use in other commands later.

powershell
$certificatePolicy = New-AzureKeyVaultCertificatePolicy -SecretContentType application/x-pkcs12 -SubjectName "CN=myCommonName.com" -ValidityInMonths 12 -IssuerName $issuerName -RenewAtNumberOfDaysBeforeExpiry 60

Step 8: Request an SSL/TLS certificate

  1. Define $certificateName variable

    Run this command to define your variable.

powershell
$certificateName = "myCertificateName"
  1. Request your SSL/TLS certificate

    Using the defined variables, run this command to request an SSL/TLS certificate.

powershell
Add-AzureKeyVaultCertificate -VaultName $vaultName -CertificateName $certificateName -CertificatePolicy $certificatePolicy

Step 9: Check request status

Using the defined variables, run the command below to check the status of your certificate request to see if it is "complete".

powershell
Get-AzureKeyVaultCertificateOperation -VaultName $vaultName -CertificateName $certificateName

Step 10: Access your issued SSL/TLS certificate

Using the defined variables, run the command below to access your issued SSL/TLS certificate.

powershell
Get-AzureKeyVaultCertificate -VaultName $vaultName -CertificateName $certificateName