BYOK for Microsoft Azure
Microsoft Azure provides various services such as computing, networking, and storage over cloud. Azure allows users to bring their own keys to be used for the services. The imported keys are referred as tenant keys. The tenant keys are stored in the Azure Key Vault. For more information on Microsoft Azure, refer to the relevant documents available over the Internet.
Prerequisites
To use BYOK for Microsoft ensure that:
CADP for Java is installed and configured. Refer to Quick start for detailed installation instructions and Configuration Parameters for configuration details.
A javac compiler exits in the path.
Any of the supported Java version is installed on your machine. Refer to General system architecture for details.
A Key Vault must be created before importing the certificate.
The high-level steps involved in using BYOK for Microsoft Azure with CADP for Java are:
Generating a RSA key or an EC key on Key Manager.
Generating the PKCS#12 certificate with .pfx extension using the SelfSignedCertificateUtility.
Importing the certificate (containing both public and private keys) to the Azure Key Vault.
Create RSA/EC Key
Refer to Create a key for detailed instructions.
Generate PKCS#12 Certificate
Update the details.properties file with the certificate attributes. This file is available on github. If the attributes are not set, the certificate is created using the default values in the
details.propertiesfile. The following table explains the attributes.Input Parameter Description Validity Validity of the certificate in days. Default value is 365. KeyUsage Defines the usage of the certificate being generated.
Valid values are:
— digitalSignature
— nonRepudiation
— keyEncipherment
— dataEncipherment
— keyAgreement
— keyCertSign
— cRLSign
— encipherOnly
— decipherOnly
Default values are keyEncipherment and digitalSignature.Algorithm Algorithm that will be used to sign the certificate being generated.
Valid values are:
— SHA1WithRSA
— SHA256WithRSA
— SHA384WithRSA
— SHA512WithRSA
— SHA1WithECDSA
— SHA224WithECDSA
— SHA256WithECDSA
— SHA384WithECDSA
— SHA512WithECDSA
Default value is SHA1WithRSA.CommonName Common name for the certificate. Default value is TestUser. CountryName Country code used for the certificate. Default value is IN. Destination Directory, including the certificate file name, where the certificate is to be generated. If this attribute is not specified, the certificate is created with the name SignedCertificate.pfx and is stored in the current working directory. CertPassword Password for the certificate. The default value is changeit. It is an optional attribute. Note: While running the SelfSignedCertificateUtility command, if the certPassword attribute’s value is specified in the command line interface, it overrides the value specified in the details.properties file. Email E-mail ID of the certificate. It is an optional attribute. Location Location of certificate. It is an optional attribute. OrganizationName Name of the organization of the certificate. It is an optional attribute. OrganizationUnitName Name of the unit of the certificate. It is an optional attribute. StateName Name of the state of the certificate. It is an optional attribute. Execute
SelfSignedCertificateUtility. This sample is available on github.Usage
java SelfSignedCertificateUtility [-user ksUserName] [-password ksPassword] -key rsaOrECCKeyName -file details.properties [-certPass certPassword]The following table describes the input parameters:
Parameter Description user Name of the user on Key Manager. It is an optional parameter. password Password of the user name on Key Manager. The following special characters * ‘ “ and key Name of the RSA or EC key created on Key Manager. file The details.propertiesfile containing the certificate attributes.certPass Password for the certificate to be generated. It is an optional parameter. This value of this parameter overrides the value set in the details.propertiesfile
Example
For example, successful execution of the following command generates the self-signed certificate named SignedCertificate.pfx.
java SelfSignedCertificateUtility -user kmuser -password kmpassword -key KMKey -file details.properties
Import a PKCS#12 Certificate
To import PKCS#12 Certificate in .pfx format to Microsoft Azure, follow these steps:
Log on to the Microsoft Azure account.
Click All services, in the search box, enter Key vault. A page with list of existing key vaults is displayed. If the key vault doesn’t exist, create a key vault.
Under the Name column, click the key vault name link and then from the SETTINGS list, click Keys. The existing keys in the key vault are listed.
Click +Generate/Import. The Create a key page is displayed to upload the PKCS#12 certificate.
Enter the certificate details as described in the following table:
Input Parameter Description Options Select the Upload option. File Upload Browse and select the certificate to be uploaded. It is a mandatory field. Password Provide the password for the certificate as specified during the certificate generation. It is a mandatory field.
Note: The password is specified in the details.properties file or while using SelfSignedCertificateUtility to generate the certificate.Name Specify a name for the certificate to be uploaded. The certificate will be listed in the key vault with this name. It is a mandatory field. Set activation/expiration date Select the options as required, and set the activation/expiration date. It is an optional field. Enabled Yes option is selected by default. Select No, if required. Click Create. The certificate is uploaded and listed in the key vault.
The screen also displays a message about the successful creation of the certificate-key.
