Sectigo.com
Shop Enterprise Partners Resources

Configuring Azure Key Vault

The SCM integration with Azure Key Vault enhances your certificate management capabilities by enabling seamless and secure solutions for certificate discovery, enrollment, and storage.

The integration with Azure Key Vault enables the following:

  • Certificate Discovery — Create Azure Key Vault discovery tasks within SCM to identify and manage certificates stored in a connected Azure Key Vault.

  • Automatic CSR Generation and SSL Certificate Storage — Utilize Azure Key Vault for automated CSR generation and secure storage of SSL certificates during the enrollment process through SCM’s built-in wizard.

The Azure Key Vault integration is only available if enabled for your account. For more information, contact your Sectigo account manager.

The process of configuring Azure and SCM for use with Azure Key Vault involves the following:

  1. Verify you have satisfied the prerequisites.

  2. Register an application in Azure.

  3. Add an Azure account in SCM connected to the registered application.

  4. (Certificate discovery) Configure Azure Key Vault discovery tasks in SCM.

  5. (Certificate enrollment) Request SSL certificates using the built-in wizard in SCM and store them in Azure Key Vault.

    For certificate enrollment, see the SCM administrator’s guide.

Prerequisites

SCM integration with Azure Key Vault requires the following:

  • An active Azure subscription.

  • Azure Global Administrator permissions.

  • At least one resource group configured.

  • At least one Key Vault assigned to the resource group.

  • Access granted for the following Sectigo Certificate Manager public IP ranges:

    • 91.199.212.0/24

    • 91.209.196.0/24

    • 91.212.12.0/24

Register an application in Azure

The steps for registering an application in Azure and granting access to a Key Vault differ depending on whether your Key Vault is configured to use Azure role-based access control (RBAC) or a Vault access policy.

Azure Key Vault access configurations can be managed in Azure on the Access configurations page for your Key Vault.

  • Azure RBAC

  • Vault access policy

  1. Log in to Microsoft Azure.

  2. Create an application to connect to SCM.

    1. Navigate to the App registrations page, and click New registration.

    2. Enter a name for the application.

    3. Select Accounts in this organizational directory only.

    4. Click Register.

      Save the Application (client) ID and Directory (tenant) ID for use when creating an Azure account in SCM.

  3. Create a client secret.

    1. Under the application, navigate to the Certificates & secrets page.

    2. On the Client secrets tab, click New client secret.

    3. Provide a description and expiration period for the client secret, and click Add.

      Save the Value for use when creating an Azure account in SCM.

  4. Set API permissions for the application.

    1. Under the application, navigate to the API permissions page.

    2. Click Add a permission, and select Azure Key Vault.

    3. Under Select permissions, select user_impersonation.

    4. Click Add permissions.

  5. Grant the application permission to access resource groups.

    1. Navigate to the Resource groups page, and select the resource group containing the appropriate Key Vault.

    2. Under the resource group, navigate to the Access control (IAM) page, click Add, and select Add role assignment.

    3. On the Role  Job function roles tab, select Key Vault Contributor, and click Next.

    4. For Assign access to, select User, group, or service principal.

    5. For Members, click + Select members, select the application created in the previous steps, and click Select.

    6. Click Review + assign.

  6. Configure access to the Key Vault.

    1. Navigate to the Key Vaults page, and select the appropriate Key Vault.

    2. Under the key vault, navigate to the Access control (IAM) page, click Add, and select Add role assignment.

    3. On the Role  Job function roles tab, select Key Vault Administrator, and click Next.

    4. For Assign access to, select User, group, or service principal.

    5. For Members, click + Select members, select the application created in the previous steps, and click Select.

    6. Click Review + assign.

Now that the application is registered in Azure, you can create an Azure account in SCM. For more information, see Understanding Azure accounts.

  1. Log in to Microsoft Azure.

  2. Create an application to connect to SCM.

    1. Navigate to the App registrations page, and click New registration.

    2. Enter a name for the application.

    3. Select Accounts in this organizational directory only.

    4. Click Register.

      Save the Application (client) ID and Directory (tenant) ID for use when creating an Azure account in SCM.

  3. Create a client secret.

    1. Under the application, navigate to the Certificates & secrets page.

    2. On the Client secrets tab, click New client secret.

    3. Provide a description and expiration period for the client secret, and click Add.

      Save the Value for use when creating an Azure account in SCM.

  4. Set API permissions for the application.

    1. Under the application, navigate to the API permissions page.

    2. Click Add a permission, and select Azure Key Vault.

    3. Under Select permissions, select user_impersonation.

    4. Click Add permissions.

  5. Grant the application permission to access resource groups.

    1. Navigate to the Resource groups page, and select the resource group containing the appropriate Key Vault.

    2. Under the resource group, navigate to the Access control (IAM) page, click Add, and select Add role assignment.

    3. On the Role  Job function roles tab, select Key Vault Contributor, and click Next.

    4. For Assign access to, select User, group, or service principal.

    5. For Members, click + Select members, select the application created in the previous steps, and click Select.

    6. Click Review + assign.

  6. Configure access to the Key Vault.

    1. Navigate to the Key Vaults page, and select the appropriate Key Vault.

    2. Under the Key Vault, navigate to the Access policies page, and click Create.

    3. In the Configure from a template menu, select Certificate Management, leave the default permissions, and click Next.

    4. Select the application created in the previous steps, and click Next.

    5. Click Next and then Create.

Now that the application is registered in Azure, you can create an Azure account in SCM. For more information, see Understanding Azure accounts.