Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
Using Azure Key Vault as alternative to KeyFactor for certificate management
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 63%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Subhash Kumar Mahato
265
Reputation points
Hello,
We are currently using KeyFactor for certificate management. Since we can manage certificates using Azure Key Vault, we are exploring Azure Key Vault as an alternative to KeyFactor.
Here, we can create and manage certificates using Azure key Vault from the integrated Certificate Authorities (CAs) GlobalSign and DigiCert.
However, I would like to know if we can use on-premises Microsoft Active Directory Certificate Services (AD CS) as an internal CA in Azure Key Vault to generate and manage certificates.
Is there a solution that allows us to use Azure Key Vault as a certificate manager for both cloud and on-premises environments?
Your response is highly appreciable. Thank you.
Azure Key Vault
{count} votes
-
Luis Arias 8,621 Reputation points Volunteer Moderator2023-11-22T11:38:13.5133333+00:00 Hello,
I was testing to create Keyvault certificate using ADCS as CA certificate with this documentation:
https://learn.microsoft.com/en-us/azure/key-vault/certificates/create-certificate-signing-request?tabs=azure-portalAs per the documentation this will work in onpremise and cloud environment:
Azure Key Vault supports storing digital certificates issued by any certificate authority (CA). It supports creating a certificate signing request (CSR) with a private/public key pair. The CSR can be signed by any CA (an internal enterprise CA or an external public CA). A certificate signing request (CSR) is a message that you send to a CA in order to request a digital certificate.
In the process you need to create the CSR on keyvault, process on ADCS web enrollment and upload on base64 format the certificate.
Does it make sense for that you are looking for? Let me know .
Luis
-
Subhash Kumar Mahato 265 Reputation points
2023-11-23T09:31:00.1666667+00:00 Hi Luis Arias,
Thank you for prompt answer. I understood that we can use the Azure Key vault to store on-premised signed certificates.
Thank you again for your explanation.
Here, I'm looking to use Azure Key Vault as Certificate Manger. like directly request the certificates to the on-premises AD CS. So, is it possible to do with azure key vault?
-
Luis Arias 8,621 Reputation points Volunteer Moderator
2023-11-28T10:42:22.51+00:00 As I know there is no option to do that yet, (Maybe MS is planing that for the future of key vault) there are more discussion about that funcionality (https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/active-directory-certificate-services-with-azure-key-vault/m-p/3754994). For now It's required a Manual intervention to import the certificate generated from AD CS into Key Vault. (https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates).
Let me knoiw anything else.
Sign in to comment
Sign in to answer