hi,
Your request to use Azure Key Vault as your on-premises certificate Does NOT make sense to me, as this mean that you will not be able to use your database if the connection is broken, but your requirement (needs) make totally sense - meaning to use the Azure Key Vault as your as your backup.
I did not used this architecture as it not fit me but you can try it and use for yourself (assuming it is working as expetected)
(1) Step one: exported the certificate directly from the SQL Server on premises instance or from the certificate store (create the files)
(2) Step two: You can import the certificate file to the Azure SQL Managed Instance for backup or simply to Azure Key Vault
For more info about import the certificate to the Azure Key Vault check this:
https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate
Check this Doc. Most of the tasks you need are covered there.
https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/tde-certificate-migrate?tabs=azure-powershell
(3) Step 3: Once you will need to use the certificate locally, then you can Export the certificates from Azure Key Vault as explained here:
https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?tabs=azure-powershell
Here is example using Get-AzureKeyVaultSecret command as well:
# Replace these variables with your own values
$vaultName = "<KEY_VAULT>"
$certificateName = "<CERTIFICATE_NAME>"
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx"
$password = "<PASSWORD>"
$pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
$pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText)
$pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($pfxUnprotectedBytes, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxProtectedBytes = $pfx.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
[IO.File]::WriteAllBytes($pfxPath, $pfxProtectedBytes)