Add certificates to integration accounts for securing messages in workflows with Azure Logic Apps

Applies to: Azure Logic Apps (Consumption + Standard)

When you need to exchange confidential messages in a logic app business-to-business (B2B) workflow, you can increase the security around this communication by using certificates. A certificate is a digital document that helps secure communication in the following ways:

  • Checks the participants' identities in electronic communications.

  • Encrypts message content.

  • Digitally signs messages.

You can use the following certificate types in your workflows:

If you're new to logic apps, review What is Azure Logic Apps? For more information about B2B enterprise integration, review B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack.

Prerequisites

  • An Azure account and subscription. If you don't have a subscription yet, sign up for a free Azure account.

  • An integration account resource where you define and store artifacts, such as trading partners, agreements, certificates, and so on, for use in your enterprise integration and B2B workflows. This resource has to meet the following requirements:

    • Is associated with the same Azure subscription as your logic app resource.

    • Exists in the same location or Azure region as your logic app resource.

    • If you have a Consumption logic app resource, you have to link your integration account to your logic app resource before you can use your artifacts in your workflow.

      To create and add certificates for use in Logic App (Consumption) workflows, you don't need a logic app resource yet. However, when you're ready to use those certificates in your workflows, your logic app resource requires a linked integration account that stores those certificates.

    • If you have a Standard logic app resource, your integration account doesn't need a link to your logic app resource but is still required to store other artifacts, such as partners, agreements, and certificates, along with using the AS2, X12, and EDIFACT operations. Your integration account still has to meet other requirements, such as using the same Azure subscription and existing in the same location as your logic app resource.

  • For private certificates, you must meet the following prerequisites:

  • At least two trading partners and an agreement between those partners in your integration account. An agreement requires a host partner and a guest partner. Also, an agreement requires that both partners use the same or compatible business identity qualifier that's appropriate for an AS2, X12, EDIFACT, or RosettaNet agreement.

  • Optionally, the logic app resource and workflow where you want to use the certificate. The workflow requires any trigger that starts your logic app's workflow. If you haven't created a logic app workflow before, review Quickstart: Create an example Consumption logic app workflow.

Use a public certificate

To use a public certificate in your workflow, you have to first add the certificate to your integration account.

  1. In the Azure portal search box, enter integration accounts, and select Integration accounts.

  2. Under Integration accounts, select the integration account where you want to add your certificate.

  3. On the integration account menu, under Settings, select Certificates.

  4. On the Certificates pane, select Add.

  5. On the Add Certificate pane, provide the following information about the certificate:

    Property Required Value Description
    Name Yes <certificate-name> Your certificate's name, which is publicCert in this example
    Certificate Type Yes Public Your certificate's type
    Certificate Yes <certificate-file-name> To browse for the certificate file that you want to add, select the folder icon next to the Certificate box. Select the certificate that you want to use.

    Screenshot showing the Azure portal and integration account with "Add" selected and the "Add Certificate" pane with public certificate details.

  6. When you're done, select OK.

    After Azure validates your selection, Azure uploads your certificate.

    Screenshot showing the Azure portal and integration account with the public certificate in the "Certificates" list.

Use a private certificate

To use a private certificate in your workflow, you have to first meet the prerequisites for private keys, and add a public certificate to your integration account.

  1. In the Azure portal search box, enter integration accounts, and select Integration accounts.

  2. Under Integration accounts, select the integration account where you want to add your certificate.

  3. On the integration account menu, under Settings, select Certificates.

  4. On the Certificates pane, select Add.

  5. On the Add Certificate pane, provide the following information about the certificate:

    Property Required Value Description
    Name Yes <certificate-name> Your certificate's name, which is privateCert in this example
    Certificate Type Yes Private Your certificate's type
    Certificate Yes <certificate-file-name> To browse for the certificate file that you want to add, select the folder icon next to the Certificate box. Select the public certificate that corresponds to the private key that's stored in your key vault.
    Resource Group Yes <integration-account-resource-group> Your integration account's resource group, which is Integration-Account-RG in this example
    Key Vault Yes <key-vault-name> Your key vault name
    Key name Yes <key-name> Your key name

    Screenshot showing the Azure portal and integration account with "Add" selected and the "Add Certificate" pane with private certificate details.

  6. When you're done, select OK.

    After Azure validates your selection, Azure uploads your certificate.

    Screenshot showing the Azure portal and integration account with the private certificate in the "Certificates" list.

Next steps