Note: It's possible to define Key Vault Access Policies both within the azurermkeyvault resource via the accesspolicy block and by using the azurermkeyvaultaccesspolicy resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.
This is a proof of concept showing how to generate PKCS7 signatures using certificates in Azure Key Vault. The
SignedCms
class in .NET does not have the extensibility today to enable this. https://jarbrown.weebly.com/blog/generate-rsa-key-cisco-nexus. As such, I've used Bouncy Castle'smethods to create that and ensure interop with the SignedCms
one.- Create a Windows Key Storage Provider (KSP) that effectively allows usage of Azure Key Vault as a virtual hardware security module (HSM) If windows could use Azure Key Vault as a KSP, it would better secure the private keys of any certificates in Windows - effectively acting as.
- Generate an intermediate CA (with a Certificate Signing Request, CSR, for signing) set a PEM-encoded certificate and private key bundle directly into the backend; You’ll also need to configure a root CA. You can have Vault generate a self-signed root CA or provide the details for your root CA. There are separate end points for each.
- Add or replace the CSR on a pending certificate order. You can begin ordering your DigiCert SSL/TLS certificates from your Azure Key Vault account. To order your certificates, use Azure PowerShell version 2.1.0. Using the defined variables, run this command to create the vault.
Azure Key Vault Generate Csr Code
Setup
To run these tests, you'll need to import a code signing certificate into anAzure Key Vault. You can do this by importing the PFX for certs you already have,or, the harder way, by generating a CSR in the HSM and using that for an EV CodeSigning certificate. You will also need to create a new RSA key using
Add-AzureKeyVaultKey
orthe UI mentioned below. Use the key name as the azureKeyVaultKeyName
in theconfig and the certificate name as the azureKeyVaultCertificateName
.Create a service principal / application and grant it access to the Key Vault with the followingpermissions: Php key generation and authentication class diagram.
Category | Permission |
---|---|
Key | Get, Sign |
Certificate | Get |
![Azure Key Vault Generate Csr Azure Key Vault Generate Csr](/uploads/1/3/3/8/133879095/729066329.png)
![Azure Key Vault Generate Csr Azure Key Vault Generate Csr](/uploads/1/3/3/8/133879095/199571963.png)
You'll need to drop a json file called
azure-creds.json
in the tests private
directorywith the following values: Anno 2070 serial key.You'll also need to drop a json file called
config.json
in the tests private
directorywith the following values. Should be a thumbprint of a cert with a private key in the user store:Azure Key Vault Explorer
Azure Key Vault Certificate
There's a handy GUI for accessing Key Vault and includes support for importing certificates:https://github.com/elize1979/AzureKeyVaultExplorer
Azure Key Vault Docs
The app defaults to logging into an @microsoft.com account, so if you want to connect to adifferent directory, you need to change the settings first. Change the
Authority
to https://login.windows.net/common
and edit the DomainHints
value to have your AAD domain(s) in it.