Managing Azure Certificates
This section describes how to manage Azure certificates on CCKM. Before proceeding, you must have an Azure vault added to the CCKM. Refer to Managing Azure Vaults for details.
A CCKM User must have the following permissions on the CipherTrust Manager to perform operations on certificates:
ReadLocalCA
ReadCertificate
UpdateSoftDeleteAzureCertificateCCKM
UpdateHardDeleteAzureCertificateCCKM
UpdateRecoverAzureCertificateCCKM
RestoreAzureCertificateCCKM
CreatAzureCertificateCCKM
UploadAzureCertificateCCKM
Adding Azure Certificates
CCKM provides two methods to add Azure certificates:
Generating Certificate
To add an Azure Certificate by generating a certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab.
Click Add Certificate. The Select Material Origin screen of the Add Certificate wizard is displayed.
Select Material Origin
Under Select Method, select Generate Certificate.
Click Next. The Configure Certificate screen is displayed.
Configure Certificate
Enter Certificate Name.
Select the desired Vault from the drop-down list. Vaults stored in Azure Managed HSM pools are not supported.
Enter Issuer Name.
Enter Subject.
(Optional) Enter DNS Name.
(Optional) Enter Validity Period (in months).
Select Content Type from the available options. The supported types are PKCSW12 and PEM.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , ; . ' " _ **
CCKM does not allow the colon (
:
) in tag values.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Enable or disable Advanced Configuration.
Click Yes to enable.
Click No to disable.
Click Next. The Add Schedule screen is displayed.
Add Schedule
Under Lifetime Action Type, select either Automatically Renew or Email Contacts.
Under Select Action, select either Percentage Lifetime or Number of Days Before Expiry.
As per the selection above, enter the Percentage of Lifetime or Days Before Expiry.
Click Next. The Advanced Configuration screen is displayed.
Advanced Configuration
Note
To provide the Advance Configuration details, you need to enable Advance Configuration when providing the Certificate Configuration details.
(Optional) Enter Extended Key Usages (EKUs) separated by comma.
(Optional) Select X509 Key Usage Flags from the drop-down list.
Select Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type is EC (Elliptic Curve).
(Applicable to RSA key type) Select Key Size from the following options: 2048, 3072, and 4096.
(Applicable to Elliptic Curve key type) Select Elliptic Curve Name from the following options: P-256, P-384, P-521, and P-256K.
(Optional) Select the Reuse Key on Renewal check box.
(Optional) Select the Exportable Private Keys check box.
(Optional) Select the Enable Certificate Transparency check box.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the certificate details that you have provided. These details are divided into MATERIAL ORIGIN, CONFIGURE CERTIFICATE, ADD SCHEDULE, and ADVANCED CONFIGURATION sections.
Before adding the certificate, review all details. After the certificate is added, certain features will no longer be editable.
Review the certificate details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN, CONFIGURE CERTIFICATE, ADD SCHEDULE, and ADVANCED CONFIGURATION sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Certificate.
The certificate creation starts. A Create Certificate In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the MATERIAL ORIGIN, CONFIGURE CERTIFICATE, ADD SCHEDULE, and ADVANCED CONFIGURATION sections becomes Complete, the certificate is created successfully.
Click OK. The Add Certificate wizard is closed.
Importing Certificate
Note
A CCKM User must have the ReadLocalCA
and ReadCertificate
permissions on the CipherTrust Manager to import certificates.
To add an Azure Certificate by importing a certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab.
Click Add Certificate. The Select Material Origin screen of the Add Certificate wizard is displayed.
Select Material Origin
Under Select Method, select Import Certificate.
Click Next. The Configure Certificate screen is displayed.
Import Certificate
Enter Certificate Name.
Select the desired Vault from the drop-down list. Vaults stored in Azure Managed HSM pools are not supported.
Select CA ID.
Select Certificate Identifier.
Upload Private Key (pem file).
Enable or disable Is Certificate File Password Protected?.
Click Yes to enable.
Click No to disable.
Enter Password.
Note
If the Is Certificate File Password Protected? option is disabled, then you do not need to provide the password.
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , ; . ' " _ **
CCKM does not allow the colon (
:
) in tag values.
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Review and Add screen is displayed.
Review and Add
This screen shows the certificate details that you have provided. These details are divided into MATERIAL ORIGIN and CONFIGURE CERTIFICATE sections.
Before adding the certificate, review all details. After the certificate is added, certain features will no longer be editable.
Review the certificate details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the MATERIAL ORIGIN and CONFIGURE CERTIFICATE sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Certificate.
The certificate creation starts. A Create Certificate In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the MATERIAL ORIGIN and CONFIGURE CERTIFICATE sections becomes Complete, the certificate is created successfully.
Click OK. The Add Certificate wizard is closed.
Viewing Azure Certificates
Search for Azure Certificates by Certificate Name, Certificate Vault, or Tags.
CCKM does not allow searching for certificates:
By tag values using colon (:)
By "certificate:value" pair using these characters:
\ , : " %
To view an Azure certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed. The Azure Certificates tab displays the following details:
Field Description Certificate Name Unique, user-friendly alias of the certificate. This is useful in searching for specific certificates. Version ID Current version of the certificate. Click the expand icon () corresponding to a certificate to view its versions. Status State of the certificate. The status can be:
• Available
• Soft Deleted
• DeletedOrigin Source of the certificate material. The origin of the certificate can be:
• CCKM: Certificate material is created on CCKM.
• Native: Certificate material is created on the cloud.
• External (Unknown): Source of the certificate material is unknown. It is different than CCKM and the native cloud.Source The source of the certificate. Creation Date Time when the certificate is created. Expiry Date Time when the certificate is created. Key Vault Name of the Azure key vault. Region Azure region where the certificate is created. Click the filter icon () to view the list of supported Azure regions. Issuer Name Name for the referenced issuer object or reserved names. Set to Self for a self-signed certificate.
Sometimes, you might notice certain certificates are displayed as grayed out. This happens when the certificates are no longer accessible. For example, when:
Any cloud permissions on the certificates are changed. The certificates are no longer accessible from the Azure connection.
Connection is changed in KMS. The new connection does not have permissions to access the certificates.
Editing Azure Certificates
To view or edit an Azure certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
X.509 SHA-1 Thumbprint is displayed as base64url encoded, whereas on Azure, it is displayed as hex.
Configure the CERTIFICATE SCHEDULES. Refer to CERTIFICATE SCHEDULES for details.
CERTIFICATE SCHEDULES
To configure certificate schedules:
In the KEY SCHEDULES section, select/enter the following details:
From the Select Rotation Schedule drop-down list, select a rotation schedule.
In the Rotation Settings section, select/enter the following details:
Key Origin: Select the key origin from the available options. The key origin can be CipherTrust, Native (Azure), Luna, or DSM.
(Applicable to Luna key origin) Select Partition: Select the Luna HSM partition.
Key Type: Select the key type. Key types differ based on the key origin.
For CipherTrust, Luna, and DSM, the supported key types are RSA and RSA-HSM.
For Native (Azure), the supported key types are RSA, EC, RSA-HSM, and EC-HSM.
Select the Key Size or Elliptical Curve Name depending on the selected Key Type.
If the key type is RSA or RSA-HSM, select Key Size. The available options are 2048, 3072, and 4096.
If the key origin is Native (Azure) and key type is EC or EC-HSM, select Elliptical Curve Name. The available options are P-56, P-384, P-521, and SECP256K1.
Select Enabled if you want to enable the rotated key.
Click Update.
A message Key schedule updated successfully is displayed on the screen.
Refreshing Azure Certificates
Refreshing is the process of downloading secrets created on the Azure key vault to CCKM. Certificates from all key vaults are refreshed at once.
To refresh certificates:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click Refresh. The This may take a while... message is displayed.
Note
Refresh is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh to continue.
A message Refresh started... is displayed on the screen. The refreshed certificates are listed on the Cloud Keys > Azure > Certificates tab.
To cancel the refresh:
Click Cancel Refresh. The Cancel Refresh? message is displayed. The action will terminate all currently active refresh operations. All progress will be lost and this action cannot be undone. Do you want to proceed to cancel refresh or cancel this action?
Click Cancel Refresh.
A message Refresh cancelled successfully is displayed on the screen.
Rotating Certificates (Add Version)
Note
To rotate Azure Certificates, CCKM Users require Add Certificate and Upload Certificate permissions.
To rotate a certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Now (Add Version). The Select Material Origin screen of the Add New Version wizard is displayed.
Select Key Material Origin. Depending on your requirements, select an appropriate option. Refer to the following sections for details:
Soft-Deleting Azure Certificates
Soft deleting is the process of deleting Azure certificates from the Azure vaults and CCKM. These certificates still exist on CCKM and in the Azure vaults. The soft-deleted certificates can be recovered.
Note
This operation can be performed only on the Azure certificates residing in the soft-enabled key vaults.
To soft-delete an Azure certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click the overflow icon () corresponding to the desired alias and click Soft Delete. The Confirm Soft Delete dialog box is displayed.
Click Soft Delete.
A message Certificate <certificate name> soft-deleted is displayed on the screen. The status of the certificate changes to SOFT-DELETED
.
Recovering Soft-Deleted Azure Certificates
If needed, you can recover a soft-deleted certificate.
To recover a soft-deleted Azure certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click the overflow icon () corresponding to the desired alias and click Recover. The Confirm Recover Certificate dialog box is displayed.
Click Recover.
A message Certificate <certificate name> recovered from soft-delete. is displayed on the screen. The status of the certificate changes to AVAILABLE
.
Purging Azure Certificates
Purging is the process of permanently deleting soft-deleted Azure certificates from the Azure vaults. However, backup of the purged certificate can be restored on CCKM. If you wish to restore backup of the purged certificate, follow the steps mentioned in the Restoring Backup section.
Note
This operation can be performed only on the soft-deleted Azure certificates residing in the soft-enabled key vaults.
To purge an Azure certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click the overflow icon () corresponding to the desired alias and click Purge. The Purge Azure certificate dialog box is displayed.
Select the I wish to purge this certificate. check box.
Click Purge Certificate.
Purging a certificate might take some time. After successful deletion, a message Certificate <certificate name> hard deleted is displayed on the screen. The status of the certificate changes to DELETED
.
If needed, you can restore a purged certificate from its backup. Refer to Restoring Backup for details.
Restoring Backup
To restore a purged Azure certificate:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Certificates tab. The list of available Azure certificates is displayed.
Click the overflow icon () corresponding to the desired alias and click Restore. The Confirm Restore certificate dialog box is displayed.
Select the desired certificate vault from the Select Vault drop-down list.
Note
Restoration of certificates among cross-region vaults is not allowed.
Click Restore Certificate.
A message Certificate <certificate name> restored is displayed on the screen. The certificate is restored to the selected key vault. The certificate status changes to AVAILABLE
.