How to Integrate Key Vault Securely with Integrated CA DigiCert for Data Protection?

Integrate Key Vault with DigiCert CA

Azure Key Vault offers a convenient solution for provisioning, managing, and deploying digital certificates to enhance the security of your network and enable secure communication for your applications. A digital certificate is an electronic credential that provides proof of identity in electronic transactions.

To ensure a seamless certificate management experience, Azure Key Vault has established a trusted partnership with renowned Certificate Authorities like DigiCert.

With this integration, users of Azure Key Vault can generate DigiCert certificates directly from their key vaults. This partnership guarantees end-to-end certificate lifecycle management for certificates issued by DigiCert.

Things you need to Consider Before Integrating Key Vault

Before you proceed with generating DigiCert certificates from Azure Key Vault, there are a few prerequisites to consider:

A Key Vault:

You will need an existing key vault or create one using the Azure CLI, Azure PowerShell, or the Azure Portal. Ensure you have the necessary administrative permissions for the key vault.

An Activated DigiCert CertCentral Account:

If you don’t have one already, sign up for a DigiCert CertCentral account and activate it.

Additionally, before you begin the process, make sure to collect the following information from your DigiCert CertCentral account:

  • CertCentral Account ID: This unique identifier is associated with your CertCentral account.
  • Organization ID: Obtain the identifier for the organization linked to your CertCentral account.
  • API key: Generate an API key that allows secure access to your DigiCert CertCentral account.
  • Account ID: Acquire the identifier for the specific DigiCert CertCentral account you intend to use.
  • Account Password: Remember the password associated with your DigiCert CertCentral account.

Now let’s proceed with the steps involved in generating DigiCert certificates directly from Azure Key Vault:

Add the Certificate Authority Like DigiCert in Key Vault:

Step 1: Access the Azure portal and navigate to the desired key vault.

Step 2: On the Key Vault property page, select “Certificates.”

Step 3: Choose the “Certificate Authorities” button.

Azure Select Certificate Authorities

Step 4: Click on “Add” and Fill in the following values below “Create a certificate authority“:

Create Certificate Authority DigiCert

Name: Assign an identifiable name to the issuer, such as “DigiCertCA.”

Provider: Select “DigiCert.”

Account ID: Enter your DigiCert CertCentral account ID.

Account Password: Provide the API key generated in your DigiCert CertCentral account.

Organization ID: Input the organization ID obtained from your DigiCert CertCentral account.

  • Pick the “Create” option.
  • You have now successfully added DigiCert as a certificate authority to the list.

These steps will enable you to generate DigiCert certificates seamlessly within Azure Key Vault, allowing for streamlined certificate management.

It’s important to note that specific procedures and interface elements may vary depending on updates or changes to Azure Key Vault or DigiCert services.

Create Azure Resources with Azure PowerShell

Azure PowerShell is a powerful tool for creating and managing Azure resources using commands or scripts. One convenient way to access Azure PowerShell is through Azure Cloud Shell, an interactive shell environment accessible via the Azure portal in your browser.

To begin, ensure you have the Azure AZ PowerShell module version 1.0.0 or later installed locally. You can check your version by typing `$PSVersionTable.PSVersion`.

If an upgrade is needed, refer to the instructions for installing the Azure AZ PowerShell module. When working with PowerShell locally, establish a connection to Azure by running the command ‘Connect-AzAccount

Create an Azure resource group using the `New-AzResourceGroup` command to organize your Azure resources.

A resource group is a logical container for deploying and managing Azure resources.

Here’s an example of creating a resource group named “UserResourceGroup” in the UK region:

New-AzResourceGroup -Name UserResourceGroup -Location UK

Next, you can create a key vault with a unique name using the `New-AzKeyVault` command.

In this example, we’ll name the key vault “SMC-Vaultname” and associate it with the previously created resource group:

New-AzKeyVault -Name ‘SMC-Vaultname’ -ResourceGroupName ‘UserResourceGroup‘ -Location ‘UK’

Now, let’s define variables for the following values from your DigiCert CertCentral account:

  • Account ID
  • Organization ID
  • API Key

$accountId = “myDigiCertCertCentralAccountID”

$org = New-AzKeyVaultCertificateOrganizationDetail -Id OrganizationIDfromDigiCertAccount

$secureApiKey = ConvertTo-SecureString DigiCertCertCentralAPIKey -AsPlainText –Force

To incorporate Digicert as a certificate authority in your key vault, set the issuer using the ‘Set-AzKeyVaultCertificateIssuer’ command:

Set-AzKeyVaultCertificateIssuer -VaultName "SMC-Vaultname" -Name "TestIssuer1" -IssuerProvider DigiCert -AccountId $accountId -ApiKey $secureApiKey -OrganizationDetails $org -PassThru

To configure the certificate policy and issue a certificate directly from DigiCert within the Key Vault, follow these steps:

$Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "" -IssuerName "TestIssuer1" -ValidityInMonths 12 -RenewAtNumberOfDaysBeforeExpiry 60
Add-AzKeyVaultCertificate -VaultName "SMC-Vaultname" -Name "DemoCertificate" -CertificatePolicy $Policy

Congratulations! The DigiCert certificate authority has now issued the certificate, which is stored securely within the specified key vault.

Name of ProductValidation NeedsIssuance TimeOur Price
DigiCert OV Code SigningBusiness1-5 Days$369.99/yr
DigiCert EV Code SigningBusiness1-5 Days$519.99/yr

Troubleshooting Steps for Integrating Key Vault

If you encounter a situation where the certificate issued appears as disabled in the Azure portal, follow these steps to resolve the issue:

Review the certificate operation in order to identify any error messages provided by DigiCert. These error messages often contain valuable information to help troubleshoot the problem. One common error message you may encounter is: “Please perform a merge to complete this certificate request.”

QUICK NOTE: Establishing proper permissions for the Key Vault is also important. Understanding and configuring access policies correctly is crucial for smooth certificate management.

For detailed instructions on establishing permissions, refer to the documentation on creating or updating vaults and access policies.

By following these troubleshooting steps, you should be able to address the issue of a disabled certificate in the Azure portal and successfully complete the certificate request process.

DigiCert Code Signing Certificate

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.