How to create public certificate in Azure Key Vault to be used by ADFS VM server

Question

I'm setting up a few Windows 2019 server VMs on which to do a test/eval install of some ERP software. They're all members of an Active Directory Domain; not linked to the AAD domain of the Azure organization/Subscription in which they exist.

The software requires Federation Services; this will initially be done by having a server VM just for ADFS.

The software requires a certificate validated by a real CA. I have set up a Key Vault for this. This is a domain cert, not a code validation cert.

I intend to validate identity against the CA using the DNS challenge method. There is no requirement for the ADFS machine to have IIS. There are no web sites involved.

Step 0 to do anything with public certificates is to validate credentials with the CA; it's required to create the Certificate Issuer object in the Key Vault, which is step 1. However, the FQDN of my AAD organization can't even be pinged from the open internet, so I don't understand how it's possible via any method to validate credentials of an account in my AAD organization against the CA.

I happen to have a normal registered internet domain, which happens to already have a valid wildcard certificate from CA LetsEncrypt. It would also be convenient for my AAD org to have a valid address in this live, active domain. I have created in the AAD org a custom domain name accordingly. I created the required txt record in the live DNS for my live domain; Azure validates the custom domain name.

AAD does not require that the Azure custom domain name have a CNAME record in the live registered DNS for the custom domain name. I can see how it might be important to NOT have the AAD custom domain name be a registered subdomain on the public internet. But maybe it is, just not mentioned anywhere. However, I think such a CNAME record may be required for CA challenge response.

1. How to establish validated CA account so Key Vault can be used for certificates?
2. Why do my AAD FQDN (weeks old) and my validated AAD custom domain name fail pings; they need to successfuly reply, correct?
3. Can Key Vault Certificate be created/used against AAD custom domain (which the Key Vault is in)
4. The ADFS server VM (which is not AAD) can still use the Key Vault certificate I'm hoping to create, true? That's the whole point, as I understand it.
5. Does the (regular, not AAD) Active Directory Domain Name matter is this picture, or does that only depend on the details of the software to be installed?

What are the steps from here to create and install a public certificate that the VMs/AD domain can use, as required for the planned software install?

thx

Answer 1

Hello @Frank Revi

Thank you for your post on this community space.

As per your case scenario description, I would like to gather my humble opinion about it. For instance, you were stating that you have no need to use IIS feature or Web Application Proxy. Also, this is a real CA certificate, but it was provisioned as Wildcard TLS/SSL certificate.

You want to use the VM hosted on Azure as any other ADFS server to redirect your authentication request to the key vault resource to use the certificate set up. Please correct me if I am mistaken on this please but for now let me keep providing few details more about it.

I would dare to say that what you need is to integrate other options to this since you were stating how this can be possible, but the info down below can give you more clues to get it done as well as to get familiar with.

When you use private links/Endpoints it will have a public IP linked to it as well as Network Firewall rules to either allow or block the network access from your VNET or Internet traffic. Having said that, you might need to use a Managed Identity instead of user/password credentials....

Please see the links mentioned previously:

https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints

https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?source=recommendations&tabs=portal

https://learn.microsoft.com/en-us/archive/blogs/kv/updated-deploy-certificates-to-vms-from-customer-managed-key-vault

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad?source=recommendations

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status

If you need further details do not hesitate to get back to us and any of us shall assist you for sure : )

Looking forward to your feedback,

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @risolis . Thank you very much for your reply. I appreciate very much that you read it carefully.

I've looked over the links you provided, and will read them in more detail.

I should mention that what I'm doing is setting up the VMs to host the ERP software according to its requirements. I could do this with physical servers, but the disadvantages make it better to do in Azure. Once its requirements are in place, the ERP software is basically self-contained; configuration, customization, etc. are all done within it. The ERP software is intended to be user-facing.

What I'm not doing is developing application software or writing code for the ERP software or for Azure. This is not an exercise to see the extent to which it is possible to integrate as many Azure features as possible. I'm a systems admin and project lead to implement this ERP software for a bricks-and-mortar company to run its business on. The business of the company is not related to developing, providing, managing, or selling software or Azure products or services. I'm not a programmer.

I'm happy to, and interested to, and required to, gain the Azure expertise to accomplish the ERP goal of the bricks-and-mortar company; I work for them.

I'm hoping to work directly in the Azure portal interactively to create the required infrastructure, and to interactively administer the virtual machines and install the ERP software modules on them. 3rd parties will access the VMs for advanced work in the ERP software; end users in multiple countries will interact with software that connects to the ERP virtual infrastructure I'm creating in Azure. From my side, no coding should be needed to set up or run the Azure environment that supports the project.

With that in mind, the first requirement of the ERP software is to implement public domain certificate(s) on the ADFS virtual server. That's the context of my original post here. I'll look again in detail at the links you sent.

If you have further suggestions that would be useful for me to achieve Key Vault certificate issuance and lifetime management for public x509 CA certificates, which can be used by virtual servers in the Azure Active Directory but with their own independent Windows Active Directory, and preferably using an Azure custom domain independent of onmicrosoft.com; they would be most appreciated.

Thanks again.

Answer 3

Hello @Frank Revi

To you as well for letting me be part of this.

Now bringing back this statement which is fully right: Once its requirements are in place, the ERP software is basically self-contained; configuration, customization, etc. are all done within it. The ERP software is intended to be user-facing

As per your job role explanation and business line of business, I think as the same way as you on those relevant points.

Please go through the links gathered previously and do not hesitate to get back to us at any time.

Have a good one.

Many thanks : )