# Azure Integration for Certificates and TLS Secrets Management from Azure Key Vault

Key Manager Plus Cloud integrates with Microsoft Azure Key Vault—a cloud service for managing SSL certificates and TLS secrets. This integration enables users to request, renew, and manage the SSL certificates stored in the Azure Key Vault by importing them into Key Manager Plus Cloud. Users can automatically renew certificate requests and automate the end-to-end lifecycle management of SSL/TLS certificates stored and managed in the Azure Key Vault, directly from the Key Manager Plus Cloud web interface.

This document will guide you through the followings:

1. [How the Key Manager Plus Cloud — Azure Key Vault Integration Works](#how-the-key-manager-plus-cloudazure-key-vault-integration-works)
2. [Prerequisites](#prerequisites)
3. [Importing Azure Key Vaults](#importing-azure-key-vaults)
4. [Managing Certificates from Azure Key Vaults](#managing-certificates-from-azure-key-vaults)
5. [Managing Azure TLS Secrets](#managing-azure-tls-secrets)

## 1. How the Key Manager Plus Cloud—Azure Key Vault Integration Works

Let us say you manage a number of Key Vaults in the Azure portal and each of those Key Vaults contains a number of SSL certificates. Key Manager Plus Cloud allows users to add their Azure credentials in the product in order to import the Key Vaults corresponding to the Azure credentials. Once the Key Vaults are added, you may discover the certificates that are stored in the Key Vaults using the discovery operation. In addition, users can create new certificate requests and renew the existing certificates that are created in Key Manager Plus Cloud and imported from Azure Key Vault as well.

**Additional Detail**

Users can import and manage different versions of the same certificate from Azure Key Vaults.

## 2. Prerequisites

- To perform the Key Manager Plus Cloud - Azure Key Vault integration, the following Azure Credentials are required: **Application/Client ID, Directory/Tenant ID, Subscription ID**, and **Client Secret**.
- Users should provide the API Access permission to the Key Vault from which you wish to import certificates into Key Manager Plus Cloud. The Key Vaults that are to be imported should also have the following permissions: **Key permissions, Secret permissions, and Certificate permissions** under **Access Policies**.
- The Key Vault owner should have permission to list the key vaults. To grant this permission, navigate to **Access Control (IAM) >> Add >> Add role assignment**. Select the **Key Vault Reader** role or member and enable the **User, group, or service principal** option next to the **Assign access to** field.  
  ![azure-keyvault-1](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-1.png)

## 3. Importing Azure Key Vaults

To begin importing Key Vaults and their corresponding certificates from the Azure portal, add the Azure credentials in Key Manager Plus Cloud.

1. Navigate to **Integrations >> Others >> Azure** and click **Manage** at the top-right corner of the page.
2. On the page that appears, click **Add**.  
   ![azure-keyvault-2](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-2.png)
3. In the **Add Azure Credentials** pop-up window that appears, enter the following attributes:
   1. **Credential Name:** Enter a unique name for identifying Azure credentials.
   2. **Subscription ID:** Provide the subscription ID of your Azure account.
   3. **Directory ID:** Enter the directory (tenant) ID associated with your Azure account.
   4. **Application ID:** Input the application (client) ID of the registered Azure app.
   5. **Key:** Provide the secret key generated for the registered Azure app.
4. Click **Save** to save the Azure credentials.

Once your credentials are saved, all the key vaults that are related to the saved credential will be automatically imported into Key Manager Plus Cloud. All the imported vaults will be visible under the **Key Vault** tab. In case the key vaults are not imported, click the **Sync** button to manually kick-start the process. If there are any **Issuer IDs** saved in your Azure portal, click **Sync** and choose a **Key Vault** from the pop-up that appears. Now, all the issuer certificates from the selected Key Vault will be listed under the **Issuer** tab.  
![azure-keyvault-3](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-3.png)

## 4. Managing Certificates from Azure Key Vaults

This section explains the procedure involved in discovering Azure Key Vault certificates, creating a certificate request, renewing certificates, etc.

### 4.1 Discovering Certificates from Azure Key Vaults

Key Manager Plus Cloud enables users to discover, import, and configure expiry notifications for the SSL certificates managed in the Azure portal.

To discover the Azure Key Vault certificates, follow the steps below:

1. Navigate to **Discovery >> Azure or Integrations >> Others >> Azure >> Discovery**.  
   ![azure-keyvault-4](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-4.png)
2. On the **Azure Discovery** page, select the following attributes:
   1. **Credential Name:** Select the Azure credential from which the Key Vaults are imported.
   2. **Key Vault:** Choose the required Key Vault from which the certificates are to be imported. In case the certificates list is not completely updated, click the **Sync** icon available beside the field to sync the certificate list from the Azure portal manually.
   3. **Discovery Type:** Select the **Azure Discovery** option from the dropdown.
3. Enable the **Import Previous Versions** checkbox to import all the available versions of the certificates from the selected Key Vault.
4. Click **Import** to discover the Azure Key Vault certificates.

The certificates discovered from the selected Azure Key Vault will be imported and listed in **Integrations >> Others >> Azure >> Certificates**.

**Caution**

Every version of an Azure Key Vault certificate will be considered as an individual certificate in Key Manager Plus Cloud and therefore will impact your license limit.

### 4.2 Creating a Certificate Request

Key Manager Plus Cloud supports creating an SSL certificate request for the Azure Key Vaults configured. Users can also create new versions of existing certificates by providing the same certificate name. All the certificate requests created in Key Manager Plus Cloud will be automatically updated in the Azure portal.

1. To create a certificate request, follow the steps below:
2. Navigate to **Integrations >> Others >> Azure** and click **Request Certificate** from the top menu.  
   ![azure-keyvault-5](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-5.png)
3. On the page that appears:
   1. Select the **Credential Name** and **Key Vault** from the respective dropdowns.
   2. Enter the **Certificate Name, Domain Name, SANs** (multiple SAN values are allowed in the comma-separated format), and **Email Address**.
   3. Choose a **Key Algorithm** and **Key Size** from the dropdowns and enter the organization and location details.
   4. Enter the certificate **Validity** (in months) and choose either **Send email to contacts upon expiry** or **Auto-renew upon certificate expiry** from the **Lifetime Action** dropdown to send an email notification to the certificate contacts in the Azure portal.
   5. Enter the **Number of days before the Lifetime Action**.
   6. To add optional properties to the new certificate, click **Advanced Options** to expand the menu. Here, there are two categories of options, **Key Usage** and **Extended Key Usage**. Select the required options to set the preferred flags for the certificate to denote the purpose for which the new certificate to be used.
   7. After entering the necessary details, click **Request Certificate**. A new certificate request is now created in both Key Manager Plus Cloud and the Azure portal.
4. Once the request is created, go to the **Request Status** tab to view the status and other details about the certificate.
5. To obtain the latest certificate from your request, click the **Obtain Certificate** icon available beside the certificate. This option retrieves the selected certificate from the Azure portal. Similarly, clicking the **Obtain History** icon retrieves all the versions of the selected certificate from the Azure portal.

### 4.3 Renewing Certificates

Key Manager Plus Cloud allows users to renew Azure certificates directly from its interface. To renew a certificate, follow the steps below:

1. Navigate to **Integrations >> Others >> Azure >> Azure Certificates**.
2. From the list of available certificates, select a certificate that you want to renew and click **Renew** from the top menu.
3. In the pop-up window that appears, enter the **Validity** (in months) and click **Renew**.

The certificate will be renewed with the specified validity period and gets updated in both Key Manager Plus Cloud and the Azure portal.

**Caution**

Users cannot renew the following Azure Key Vault certificates:

- Certificates that were issued by a third-party issuer and are being managed in the Azure Portal.
- Previous versions of existing certificates.

### 4.4 Deleting Certificates

To delete the Azure Key Vault certificates from Key Manager Plus Cloud, follow the steps below:

1. Navigate to **Integrations >> Others >> Azure >> Azure Certificates**.
2. Select one or more certificates using the checkboxes.
3. Click **Delete** from the top menu.
4. In the pop-up confirmation dialog box, click **OK** to delete the selected certificates.

**Additional Detail**

The certificate will be deleted only from the Key Manager Plus Cloud interface, and this operation will not impact the certificate's status in the Azure portal.

### 4.5 Filtering Certificates

To filter versions of the available Azure Key Vault certificates in Key Manager Plus Cloud, follow the steps below:

1. Navigate to **Integrations >> Others >> Azure >> Azure Certificates**.
2. Click the **Show dropdown** and choose any of the following options:
   1. **Current Certificate** - This option will display only the current versions of the certificates.
   2. **Previous Versions** - This option will display older versions of the available certificates.
   3. **All** - This option will display all versions of the available certificates.

## 5. Managing Azure TLS Secrets

As part of the integration, you can manage the Azure TLS secrets stored in Azure key vault alongside SSL certificates from Key Manager Plus Cloud. In addition, users can create new TLS secrets and deploy them to the desired Azure Key Vault.

**Caution**

Only TLS secrets of the Azure Key Vault will be managed under Azure Secrets in Key Manager Plus Cloud.

### 5.1 Discovering TLS Secrets from Azure Key Vault

Key Manager Plus Cloud offers a seamless solution to discover TLS secrets stored in Azure Key Vault and effectively manage them from its interface. Follow the below steps to discover the TLS secrets from Azure Key Vault to Key Manager Plus Cloud.

1. Navigate to **Discovery >> Azure or Integrations >> Others >> Azure >> Azure Secrets >> Discovery**.
2. Choose the appropriate **Azure Credential Name, Key Vault**, and **Discovery Type** to initiate the discovery process for the desired TLS secrets. To add a new Azure credential for importing TLS secrets, use the **Add Azure Credential** button beside the **Credential Name** field.  
   ![azure-keyvault-6](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-6.png)
3. To store the certificates discovered through secrets in the Key Manager Plus Cloud inventory, enable the checkbox labeled **Add discovered certificate type secrets to SSL**.
4. Click **Import** to discover TLS secrets from Azure Key Vault to Key Manager Plus Cloud.

### 5.2 Managing Azure TLS Secrets from Key Manager Plus Cloud

To manage Azure TLS secrets from Key Manager Plus Cloud, navigate to **Integrations >> Others >> Azure >> Azure Secrets**. Here, users can find a comprehensive list of all the discovered and newly created TLS secrets of Azure Key Vaults.

**5.2.1 Creating a new Azure TLS Secret**

To create a new Azure TLS secret from Key Manager Plus Cloud, follow these steps:

1. From the **Azure Secrets** tab, click **Create Secret** in the top menu.  
   ![azure-keyvault-7](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-7.png)
2. In the pop-up window, enter the **Credential Name, Key Vault**, and **Secret Name**, and upload the SSL certificate in the **.pfx** format.
3. After filling in the required details, select the **Secret Status** and click **Create Secret**.

The new Azure TLS secret will be created.

**5.2.2 Updating a Azure TLS Secret**

To update a Azure TLS secret, follow these steps:

1. From the **Azure Secrets** tab, select the respective secret from the list.
2. Click **Update Secret** from the top menu.
3. In the pop-up window, modify the **Activate/Expiration Date** and **Secret Status** as needed, and click **Save**.  
   ![azure-keyvault-8](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-8.png)

**5.2.3 Maintaining Sync Status of the Azure TLS Secret**

In some cases, the version of a Azure TLS secret might be updated in the Microsoft Azure portal and not synchronized with Key Manager Plus Cloud. To maintain sync status, follow the steps below:

1. Select the relevant Azure TLS secret, click **Rediscover** from the top menu, and allow the rediscovery process to complete. This will update the TLS secret to the latest version.
2. To obtain the new version of a secret's certificate, click the **Obtain Certificate** icon next to the **Secret Status**. Choose the appropriate credential associated with the Key Vault secret and click **Obtain Certificate**.  
   ![azure-keyvault-9](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-9.png)

The new version of the secret's certificate will be updated in Key Manager Plus Cloud and can be verified or exported by clicking the **View Associated Certificate** icon.  
![azure-keyvault-10](https://cdn.manageengine.com/sites/meweb/images/key-manager/help-cloud/azure-keyvault-10.png)

If needed, you can delete Azure TLS secrets from Key Manager Plus Cloud using the **Delete** button from the top menu.

**Additional Detail**

Remember that deleting a Azure TLS secret from Key Manager Plus Cloud does not permanently remove it from Azure Key Vault. To delete the TLS secret permanently, users should do it from the Azure portal.