Integration with Azure Key Vault

PAM360 integrates with Microsoft Azure Key Vault — a cloud service for managing SSL certificates. This integration enables users to request, renew, and manage the SSL certificates stored in the Azure Key Vault by importing them into the PAM360 repository. You can automatically renew certificate requests and automate the end-to-end lifecycle management of SSL/TLS certificates stored and managed in the Azure Key Vault, directly from the PAM360 web interface.

How does the PAM360 - Azure Key Vault Integration Work?
Importing Azure Key Vaults
Discovering Certificates from Azure Key Vaults
Creating a Certificate Request
Renewing, Deleting, Filtering all Versions of Certificates

1. How does the PAM360 – Azure Key Vault Integration Work?

Let's say you manage a number of Key Vaults in the Azure portal and each of those Key Vaults contains a number of SSL certificates. PAM360 lets you add your Azure credentials in the product and then automatically imports the Key Vaults corresponding to your Azure credentials into the PAM360 repository. Once your Key Vaults are added, you may discover the certificates that are stored in the Key Vaults using the discovery operation. PAM360 allows you to create new certificate requests and renew the existing certificates that are both created in PAM360 and imported from Azure Key Vault. You can import and manage different versions of the same certificate from the Key Vaults.

Prerequisites:
1. To perform the PAM360 - Azure Key Vault integration, the following Azure Credentials are required: Application/client ID, Directory/tenant ID, Subscription ID, and client secret.
2. You must provide API Access permission to the Key Vault from which you wish to import certificates into PAM360. The Key Vaults you are importing into PAM360 must also have the following permissions: Key permissions, Secret permissions, Certificate permissions under Access Policies.
3. The Key Vault owner must have permission to list the key vaults. To grant this, go to Access Control (IAM) >> Add >> Add role assignment and select Assign access to as User, group, or service principal.

2. Importing Azure Key Vaults

To begin importing Key Vaults and their corresponding certificates from the Azure portal, you must add your Azure credentials in the PAM360 interface.

2.1 Adding Azure Credentials

To import all key vaults that are being managed in the Azure portal, you must add your Azure credentials in PAM360. Follow the below steps:

Navigate to 'Certificates >> Azure'.
Go to Manage and click Add.
In the Add Azure Credentials pop-up, enter the following attributes:
a. Credential Name - enter a unique credential name
b. Subscription ID
c. Directory ID
d. Application ID
e. Key
Click Save.

Once your credentials are saved, all the key vaults that are related to the saved credential will be automatically imported into PAM360. All the imported vaults will be visible under the Key Vault tab. In case the key vaults are not imported, click the Sync button to manually kick-start the process. If you have any Issuer IDs saved in your Azure portal, press Sync and choose a Key Vault from the pop-up that appears. Now all the issuer certificates from the selected Key Vault will be listed under the Issuer tab.
azure-keyvault-3

3. Discovering Certificates from Azure Key Vaults

PAM360 enables you to discover, import, and configure expiry notifications for SSL certificates managed in the Azure portal.

Navigate to 'Certificates >> Discovery >> Azure'.
Choose the following attributes from the drop-downs:
1. Credential Name - The Azure credential from which you wish to import key vaults.
2. Key Vault - Choose the required key vault from which you wish to import certificates. In case you find that the certificates list is not fully updated, click the sync icon available beside the Key Vault drop-down to manually sync the certificate list from the Azure portal.
3. Select the Import Previous Versions option to import all available versions of the certificates in the key vault. Click Import.
Now all the certificates from the selected Azure Key Vault will be imported and populated in the Azure tab.

Note: Please note that every version of a certificate will be considered as an individual certificate in PAM360 and therefore will impact your license count.

4. Creating a Certificate Request

PAM360 allows you to create SSL certificate requests for your Azure credential in the Azure key vault that you require. You can even create new versions of existing certificates by providing the same certificate name. All the certificate requests created in PAM360 will be automatically updated in the Azure portal. Follow the below steps:

Navigate to 'Certificates >> Azure' and click Request Certificate.
Choose your Azure Credential and the required key vault from the drop-down.
Provide attributes such as the certificate name, domain name, SANs - You can add multiple SAN values separated by a comma.
Enter an email address, choose a Key Algorithm and Key Size from the drop-downs and enter location details.
Enter the certificate validity in months and choose a Lifetime Action from the drop-down. You can choose to either auto renew the certificate upon expiry or choose to send an email notification to your certificate contacts in the Azure portal.
Enter the number of days before which the chosen Lifetime Action must be invoked.
To add optional properties to the new certificate, click Advanced Options to expand the menu. Here, there are two categories of options, Key Usage and Extended Key Usage. Select the required options to set the preferred flags for the certificate to denote the purpose for which the new certificate may be used. The Key Usage options include Non Repudiation, Digital Signature, Data or Key Encipherment, Server/Client Authentication etc. You can choose the properties and mark them as critical by selecting the checkbox.
After adding all the details, click Request Certificate. A new certificate request is created in both PAM360 and the Azure portal.

Once the request is created, go to the Request Status tab to view the status and other details pertaining to a certificate. To obtain the latest certificate from your request, click the Obtain Certificate option available beside the certificate. The following operations can be done on the certificates being managed from the Azure tab:

Obtain Certificate - This option retrieves the selected certificate from the Azure portal.
Obtain History - This option retrieves all the versions of the selected certificate from the Azure portal.

5. Renewing, Deleting, Filtering all Versions of Certificates

5.1 Renewing Certificates

PAM360 allows you to renew Azure certificates right from the PAM360 interface.

Select a certificate that you wish to renew and click the Renew option at the top.
Enter the validity in months and click Renew. The certificate will be renewed with the specified validity period and will be updated in both PAM360 and the Azure portal.

Notes:
Please note that you cannot renew the following certificates:
1. Certificates that were issued by a third-party issuer and are currently being managed in the Azure Portal.
2. Previous versions of existing certificates.

5.2 Deleting Certificates

To delete certificates:

Select one or more certificates using the checkboxes.
Click Delete from the top.

Notes: Please note that the certificate will be deleted only from the PAM360 interface and this operation will not impact the certificate's status in the Azure portal.

5.3 Filtering Certificates

To filter versions of certificates, click the Show drop-down and choose from the options:

Current Certificate - This option will display only the current versions of the certificates.
Previous Versions - This option will display older versions of the available certificates.
All - This option will display all versions of the available certificates.


Integration with Azure Key Vault PAM360 integrates with Microsoft Azure Key Vault — a cloud service for managing SSL certificates. This integration enables users to request, renew, and manage the SSL certificates stored in the Azure Key Vault by importing them into the PAM360 repository. You can automatically renew certificate requests and automate the end-to-end lifecycle management of SSL/TLS certificates stored and managed in the Azure Key Vault, directly from the PAM360 web interface. How does the PAM360 - Azure Key Vault Integration Work? Importing Azure Key Vaults Discovering Certificates from Azure Key Vaults Creating a Certificate Request Renewing, Deleting, Filtering all Versions of Certificates 1. How does the PAM360 – Azure Key Vault Integration Work? Let's say you manage a number of Key Vaults in the Azure portal and each of those Key Vaults contains a number of SSL certificates. PAM360 lets you add your Azure credentials in the product and then automatically imports the Key Vaults corresponding to your Azure credentials into the PAM360 repository. Once your Key Vaults are added, you may discover the certificates that are stored in the Key Vaults using the discovery operation. PAM360 allows you to create new certificate requests and renew the existing certificates that are both created in PAM360 and imported from Azure Key Vault. You can import and manage different versions of the same certificate from the Key Vaults. Prerequisites: 1. To perform the PAM360 - Azure Key Vault integration, the following Azure Credentials are required: Application/client ID, Directory/tenant ID, Subscription ID, and client secret. 2. You must provide API Access permission to the Key Vault from which you wish to import certificates into PAM360. The Key Vaults you are importing into PAM360 must also have the following permissions: Key permissions, Secret permissions, Certificate permissions under Access Policies. 3. The Key Vault owner must have permission to list the key vaults. To grant this, go to Access Control (IAM) >> Add >> Add role assignment and select Assign access to as User, group, or service principal. 2. Importing Azure Key Vaults To begin importing Key Vaults and their corresponding certificates from the Azure portal, you must add your Azure credentials in the PAM360 interface. 2.1 Adding Azure Credentials To import all key vaults that are being managed in the Azure portal, you must add your Azure credentials in PAM360. Follow the below steps: Navigate to 'Certificates >> Azure'. Go to Manage and click Add. In the Add Azure Credentials pop-up, enter the following attributes: a. Credential Name - enter a unique credential name b. Subscription ID c. Directory ID d. Application ID e. Key Click Save. Once your credentials are saved, all the key vaults that are related to the saved credential will be automatically imported into PAM360. All the imported vaults will be visible under the Key Vault tab. In case the key vaults are not imported, click the Sync button to manually kick-start the process. If you have any Issuer IDs saved in your Azure portal, press Sync and choose a Key Vault from the pop-up that appears. Now all the issuer certificates from the selected Key Vault will be listed under the Issuer tab. 3. Discovering Certificates from Azure Key Vaults PAM360 enables you to discover, import, and configure expiry notifications for SSL certificates managed in the Azure portal. Navigate to 'Certificates >> Discovery >> Azure'. Choose the following attributes from the drop-downs: Credential Name - The Azure credential from which you wish to import key vaults. Key Vault - Choose the required key vault from which you wish to import certificates. In case you find that the certificates list is not fully updated, click the sync icon available beside the Key Vault drop-down to manually sync the certificate list from the Azure portal. Select the Import Previous Versions option to import all available versions of the certificates in the key vault. Click Import. Now all the certificates from the selected Azure Key Vault will be imported and populated in the Azure tab. Note: Please note that every version of a certificate will be considered as an individual certificate in PAM360 and therefore will impact your license count. 4. Creating a Certificate Request PAM360 allows you to create SSL certificate requests for your Azure credential in the Azure key vault that you require. You can even create new versions of existing certificates by providing the same certificate name. All the certificate requests created in PAM360 will be automatically updated in the Azure portal. Follow the below steps: Navigate to 'Certificates >> Azure' and click Request Certificate. Choose your Azure Credential and the required key vault from the drop-down. Provide attributes such as the certificate name, domain name, SANs - You can add multiple SAN values separated by a comma. Enter an email address, choose a Key Algorithm and Key Size from the drop-downs and enter location details. Enter the certificate validity in months and choose a Lifetime Action from the drop-down. You can choose to either auto renew the certificate upon expiry or choose to send an email notification to your certificate contacts in the Azure portal. Enter the number of days before which the chosen Lifetime Action must be invoked. To add optional properties to the new certificate, click Advanced Options to expand the menu. Here, there are two categories of options, Key Usage and Extended Key Usage. Select the required options to set the preferred flags for the certificate to denote the purpose for which the new certificate may be used. The Key Usage options include Non Repudiation, Digital Signature, Data or Key Encipherment, Server/Client Authentication etc. You can choose the properties and mark them as critical by selecting the checkbox. After adding all the details, click Request Certificate. A new certificate request is created in both PAM360 and the Azure portal. Once the request is created, go to the Request Status tab to view the status and other details pertaining to a certificate. To obtain the latest certificate from your request, click the Obtain Certificate option available beside the certificate. The following operations can be done on the certificates being managed from the Azure tab: Obtain Certificate - This option retrieves the selected certificate from the Azure portal. Obtain History - This option retrieves all the versions of the selected certificate from the Azure portal. 5. Renewing, Deleting, Filtering all Versions of Certificates 5.1 Renewing Certificates PAM360 allows you to renew Azure certificates right from the PAM360 interface. Select a certificate that you wish to renew and click the Renew option at the top. Enter the validity in months and click Renew. The certificate will be renewed with the specified validity period and will be updated in both PAM360 and the Azure portal. Notes: Please note that you cannot renew the following certificates: 1. Certificates that were issued by a third-party issuer and are currently being managed in the Azure Portal. 2. Previous versions of existing certificates. 5.2 Deleting Certificates To delete certificates: Select one or more certificates using the checkboxes. Click Delete from the top. Notes: Please note that the certificate will be deleted only from the PAM360 interface and this operation will not impact the certificate's status in the Azure portal. 5.3 Filtering Certificates To filter versions of certificates, click the Show drop-down and choose from the options: Current Certificate - This option will display only the current versions of the certificates. Previous Versions - This option will display older versions of the available certificates. All - This option will display all versions of the available certificates.