Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. KeyVault should interface with an organization's private CA

    For: organizations that have a private certificate authority.
    Goal: avoid certificates in email and manual uploads.
    New feature: configure private CA endpoint in KeyVault, then have the KeyVault arrange a csr and have it signed by the connected private CA and stored back in the KeyVault.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. Fix your DigiCert Automation Integration

    Fix your DigiCert integration. They've changed their SSL products and it's impossible to use KV to Order Basic Wildcard SSL (OV-Basic). You're api will not support any of their new product keywords. I literally spent two days figuring this out on my own. If you are going to tout integrated CA's and automation then make sure it works!

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  3. Use Key Vault Certificates Officer (Not Key Vault Secrets Officer) for App Service PFX Import

    In order to allow an App Service to import a PFX from a Key Vault which is under the preview RBAC roles, you have to grant the Microsoft Azure WebSites application the Key Vault Secrets Officer RBAC role.

    This is misleading. The certificate in question is in the certificates "folder" of the Key Vault, not the "secrets" folder.

    It would seem more appropriate to grant the application the Key Vault Certificates Officer RBAC role.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  4. Show keys/secrets paths next to certificates path

    In the key vault portal, when you view a certificate, the top URL is the "Certificate Identifier". If you specify this in Express V2 deployment, it will only contain the public key. If you need the cert with private key, you have to go to the bottom of the page and look for the "Secret Identifier" URL and use that instead. IMO, the "Key Identifier", "Secret Identifier" and "Certificate Identifier" URLs should all be at the top of the certificate version page, and they should have some help text to indicate the difference.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add download of SSL certificates from key vault

    Provide ability to download an SSL certificate from the key vault for use in other services (e.g. Azure API Management which only accepts uploaded certs).

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  6. Showing Azure Key Vault Regional Replication

    Presently in Azure portal, you cannot see the information regarding the regional replication or the location. As of now, it is not possible to view the data that are replicated to the secondary region.

    This information is needed for SOC audits and would be helpful to have in the Portal.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow Azure Key Vault Certificate user (read only) RBAC role

    Allow Azure Key Vault Certificate user (read only) RBAC role, because right now it's only possible to have a Certificate Officer. I can think of lots of scenario's where you only want to allow read access to a certificate, instead of allowing both read, write and delete permissions.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add ability to add RBAC role or Action Group as Azure Key Vault certificate contact

    Would be awesome if you could add the ability to set either / both RBAC roles or a Action Groups as Azure Key Vault certificate contacts.

    This would be very nice to have especially for automation using Lighthouse for authentication, as Lighthouse alone can't be used to read Azure AD to get email addresses.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  9. No Log for downloaded Certs

    Add a Log Analytics OperationName for when a Certificate is downloaded from the Vault. Since the Vault only allows downloading a cert without a PK password, then allow us to generate an alert when the Certificate is downloaded so we can stop a person or check why they downloaded it. Currently non of the operations pinpoint that a download was attempted.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  10. Show certificate thumbprint in AzurePortal

    Please make a way to see the certificate thumbprints in the Azure portal.
    Perferably there should also be a way to search by thumbprint to identify the corresponding certificate.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  11. CDN - SSL - Incorrect version selected on dropdown

    CDN Profiles -> Custom Domain -> HTTPS -> Own certificate, once the KeyVault Certificate/Secret Version dropdown is loaded, it seems to always select the first item (current version) even though it is an older version that's currently deployed.

    In order to actually deploy the current version, user will need to first select an older version and then re-select the current version because the save button is disabled by default.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  12. I had come across scenario wherein AZURE Key vault doesn’t clear entries of User/application in the “Access policies”, when we delete respec

    I had come across scenario wherein AZURE Key vault doesn’t clear entries of User/application in the “Access policies”, when we delete respective object in Azure AD. I’m wondering, if this require manual way of clearing all stale reference in AKV access polices on regular basis? if that is the case, can we include this feature with upcoming release so that customer needn’t to worry about manually cleanup?

    Please refer attached screenshot which has multiple stale reference part of Access polices, even though actual object were deleted from Azure AD tenant.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow certificate upload from Azure Storage

    Currently, the only way to upload a certificate to a Key Vault is to have the file stored locally on the computer that is doing the upload.
    Having the possibility to upload the cert from a Blob would be ideal, as that would mean our certificates could be safely hosted being encrypted Azure Storage, and retrieved with a SAS and directly uploaded to Azure Key Vault without needing to download it locally, and then upload it.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support mutliple lifetime actions for certificate policies

    Currently you can specify only one lifetime action in a certificate policy. Most of the time I want an automatic rollover but I also want to know that this happened because I need to take some additional actions.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  15. For CA certificate Private Key exportable yes/no option to be properly documented

    Currently Key vault Documentation talks about various parameters for certificate generation.
    One very crucial config is not documented properly.
    So while generating certificate if we select private key exportable = no
    and after generating the certificate ,If we integrate that certificate with any application gateway then the AGW state will be "failed" with some error message saying "certificate can't be parsed"

    So Please update the documentation with adding note about this behavior.

    Error:

                "code": "ApplicationGatewaySslCertificateDoesNotHavePrivateKey",
    

    No documentation talks about what will happen if we select private key exportable = no.

    So please add that in the documentation. Issue was reproducible…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
2 Next →
  • Don't see your idea?

Feedback and Knowledge Base