Certificate Management
Overview
Azure Key Vault provides centralized certificate management — import existing certificates, create self-signed ones, or integrate with Certificate Authorities (CAs) for automatic issuance and renewal.
Certificate Types in Key Vault
| Type | Description | Use Case |
|---|---|---|
| Imported | Upload existing PFX/PEM | Migrating from on-premises |
| Self-signed | Generated by Key Vault | Dev/test environments |
| CA-issued | Integrated with DigiCert or GlobalSign | Production TLS |
Importing a Certificate
Azure CLI
# Import a PFX certificate
az keyvault certificate import \
--vault-name my-vault \
--name my-cert \
--file ./certificate.pfx \
--password "pfx-password"
# Import a PEM certificate
az keyvault certificate import \
--vault-name my-vault \
--name my-cert \
--file ./certificate.pem
.NET SDK
using Azure.Security.KeyVault.Certificates;
using Azure.Identity;
var client = new CertificateClient(new Uri(vaultUrl), new DefaultAzureCredential());
byte[] pfxBytes = File.ReadAllBytes("certificate.pfx");
var options = new ImportCertificateOptions("my-cert", pfxBytes)
{
Password = "pfx-password"
};
await client.ImportCertificateAsync(options);
Creating a Self-Signed Certificate
az keyvault certificate create \
--vault-name my-vault \
--name dev-cert \
--policy "$(az keyvault certificate get-default-policy)"
Custom Policy
{
"issuerParameters": { "name": "Self" },
"keyProperties": {
"exportable": true,
"keySize": 2048,
"keyType": "RSA",
"reuseKey": false
},
"secretProperties": { "contentType": "application/x-pkcs12" },
"x509CertificateProperties": {
"subject": "CN=myapp.contoso.com",
"subjectAlternativeNames": {
"dnsNames": ["myapp.contoso.com", "*.myapp.contoso.com"]
},
"validityInMonths": 12
},
"lifetimeActions": [
{
"trigger": { "daysBeforeExpiry": 30 },
"action": { "actionType": "AutoRenew" }
}
]
}
CA Integration (DigiCert / GlobalSign)
Setup Steps
- Create a CA issuer in Key Vault:
az keyvault certificate issuer create \
--vault-name my-vault \
--issuer-name DigiCertIssuer \
--provider-name DigiCert \
--account-id "your-digicert-account" \
--password "your-api-key"
- Create a certificate with CA policy:
{
"issuerParameters": { "name": "DigiCertIssuer" },
"x509CertificateProperties": {
"subject": "CN=api.contoso.com",
"validityInMonths": 12
},
"lifetimeActions": [
{
"trigger": { "daysBeforeExpiry": 60 },
"action": { "actionType": "AutoRenew" }
}
]
}
Auto-Renewal Configuration
The lifetimeActions policy controls automatic renewal:
| Action Type | Behavior |
|---|---|
AutoRenew | Key Vault automatically renews (self-signed or CA-integrated) |
EmailContacts | Sends notification to vault contacts |
Trigger Options
daysBeforeExpiry: Trigger N days before expiration.lifetimePercentage: Trigger at N% of certificate lifetime.
Using Certificates in Azure Services
App Service
az webapp config ssl import \
--resource-group my-rg \
--name my-app \
--key-vault my-vault \
--key-vault-certificate-name prod-cert
Application Gateway
az network application-gateway ssl-cert create \
--resource-group my-rg \
--gateway-name my-gateway \
--name my-ssl-cert \
--key-vault-secret-id "https://my-vault.vault.azure.net/secrets/prod-cert"
Retrieving Certificate and Private Key
var certClient = new CertificateClient(new Uri(vaultUrl), new DefaultAzureCredential());
var secretClient = new SecretClient(new Uri(vaultUrl), new DefaultAzureCredential());
// Get certificate (public key only)
KeyVaultCertificateWithPolicy cert = await certClient.GetCertificateAsync("my-cert");
// Get full certificate with private key (stored as a secret)
KeyVaultSecret secret = await secretClient.GetSecretAsync("my-cert");
byte[] pfxBytes = Convert.FromBase64String(secret.Value);
var x509 = new X509Certificate2(pfxBytes);
Monitoring Certificate Expiry
Key Vault emits Event Grid events:
Microsoft.KeyVault.CertificateNearExpiryMicrosoft.KeyVault.CertificateExpiredMicrosoft.KeyVault.CertificateNewVersionCreated
az eventgrid event-subscription create \
--name cert-expiry-alert \
--source-resource-id /subscriptions/{sub}/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault \
--endpoint https://my-func.azurewebsites.net/api/CertExpiryHandler \
--included-event-types Microsoft.KeyVault.CertificateNearExpiry
Best Practices
- Use CA integration for production certificates — avoid manual renewal.
- Set
lifetimeActionsto auto-renew at 80% lifetime or 60 days before expiry. - Store certificates in Key Vault rather than in App Service directly.
- Use managed identity for services accessing certificates.
- Monitor expiry events with Event Grid and alert on renewal failures.
- Separate dev and prod vaults — use self-signed in dev, CA-issued in production.
- Enable soft delete to recover accidentally deleted certificates.
- Use PFX format when the private key needs to be exportable.
Summary
Key Vault certificate management provides a complete lifecycle — from creation or import through auto-renewal and expiry monitoring. Integrate with CAs for production certificates, use lifetimeActions for automatic renewal, and leverage Event Grid for proactive alerting.