Managing certificates with the Azure Key Vault

The 1E PowerShell Toolkit supports the retrieval of certificates from the Azure Key Vault. This article describes how to set up and test an Azure environment and manage certificates with the Key Vault. For specific information on configuring the Toolkit to use the Azure Key Vault, refer to Accessing Certificates from the Azure Key Vault.

About the Azure Key Vault

The Azure Key Vault provides a secure mechanism for storing keys, secrets, and certificates.

  • Secrets: Secrets are any sequence of bytes under 10 KB like connection strings, account keys, or the passwords for PFX (private key files). An authorized application can retrieve a secret for use in its operation.

  • Keys: Keys involve cryptographic material imported into Key Vault, or generated when a service requests the Key Vault to do so.

  • Certificate: An Azure Key Vault certificate is simply a managed X.509 certificate.

For more information, refer to Microsoft’s documentation.

Creating a Key Vault

Refer to Creating an Azure Key Vault.

Vault URI

Note the Vault URI on the Overview page in the Key Vault section of the portal.

Managed identity Client ID

When you created the Key Vault, you normally also assigned privileges to an associated managed identity. Note the client ID of this managed identity.

It is also possible to grant access to other security principals than managed identities. This permits callers who are not associated with a managed identity to access the Key Vault. Normally, in this scenario, the caller must possess a shared secret which they use to authenticate with an application registered on Azure that has been granted appropriate Key Vault access privileges. For more information, refer to Accessing the Azure Key Vault using REST and oAuth.

For the 1E PowerShell Toolkit to be able to access the Key Vault using a managed identity, it must be invoked from a VM which has been assigned the managed identity.

It is also possible to access the Key Vault using a shared secret. This is useful for scenarios where the calling process is not running in an environment which has been assigned a managed identity. For more information, refer to Accessing the Azure Key Vault using REST and oAuth.