Share via

Issue certificate renew using HSM vault REST API

Roie Rachamim 1 Reputation point
2020-10-25T13:16:03.743+00:00

Hi,

I've created a rootCA using the following API:
https://learn.microsoft.com/en-us/rest/api/keyvault/createcertificate/createcertificate
POST {vaultBaseUrl}/certificates/{certificate-name}/create?api-version=7.1

It was created for 20 years and now i would like to modify the certificate so it will expire in 10 years,
but will use the same private key (In order to avoid from users to recreate certificates)

With which API can i achieve that ?

Many Thanks,
Roie

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,159 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,496 Reputation points Microsoft Employee
    2020-10-26T21:15:43.33+00:00

    @Roie Rachamim
    Thank you for your question! I wasn't able to find a way to do this through the REST API, but I'll post my findings below

    I created a certificate using the same create REST API you mentioned, making the "validity_months" (expiration date) equal to 297.

    35131-image.png

    I ran a PATCH to try and update the validity period from 297 months to 100, the PATCH didn't error, however, the expiration date never changed.
    35141-image.png

    I then went to the Issuance Policy of the certificate and was able to change the validity period.
    35142-image.png

    I realized, updating this validity period doesn't actually update the "Expiration Date" of the certificate, so I tried to update the expiration date within the certificate but the option was greyed out for all of my certificates. Which leads me to believe updating the expiration date of a certificate isn't a supported feature at this time.

    If you'd like to create a feature request for this action, please feel free to leverage our User Voice forum.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    0 comments
  2. Roie Rachamim 1 Reputation point
    2020-10-27T09:43:57.117+00:00

    Hi James,

    Thanks for the very detailed answer!

    So assuming modifying a certificate is not possible, Is it possible to create a new certificate that will use the same private key as the current cert did (in order to avoid replacing the CA for all devices)
    Which API can be done to do that?

    Many Thanks,
    Roie

    0 comments
  3. JamesTran-MSFT 36,496 Reputation points Microsoft Employee
    2020-10-27T20:42:23.313+00:00

    @Roie Rachamim
    Thank you for the quick follow up! I reached out to our Key Vault SMEs and will post their reply below.

    SME Update:
    Updating the expiration date of an issued certificate is not possible. The way you should do this is by updating the issuance Policy and then generating a new Certificate version. As mentioned in the banner, the changes in the Issuance policy will be reflected on the next certificate's version:
    35469-image.png

    To update the same cert (same key) with a new exp date, you need to update the issuance policy and generate a new version of the certificate, you need to consider that generating a new cert version will not "reissue" the cert but request a new one with the new issuance policy and using the same private key.

    This is the REST you can use in order to do so: https://learn.microsoft.com/en-us/rest/api/keyvault/updatecertificate/updatecertificate

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    0 comments
  4. Roie Rachamim 1 Reputation point
    2020-10-28T19:04:10.233+00:00

    Will try that!, One last question, Regarding the certificate versions,

    Is there a possibility (or is it planned) to be able to remove a version from the certificate ? I didn't see any API that can do that currently?

    Thanks,
    Roie