Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Private CA (Certificate Authority) certificate issuing capability

    Provide native Private CA (Certificate Authority) capability in Azure so that private certificates can be issued.

    AWS has this feature, why not Azure?
    https://aws.amazon.com/certificate-manager/private-certificate-authority/

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. KeyVault should interface with an organization's private CA

    For: organizations that have a private certificate authority.
    Goal: avoid certificates in email and manual uploads.
    New feature: configure private CA endpoint in KeyVault, then have the KeyVault arrange a csr and have it signed by the connected private CA and stored back in the KeyVault.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  3. ARM Template support for Certificates and Issuers

    Hi,

    Currently KeyVault only supports adding new secrets using ARM templates.

    Certificates are common part of any service today, just like secrets, and I would like to be able to create them in my vault using my ARM templates.

    Due to this limitation, currently my provisioning scripts are split to 3 parts(!):
    1. ARM Template for preparation (create the KV)
    2. Powershell to create the certificates inside the KV
    3. ARM Template for the remaining provisioning, that in some parts rely on getting the certificate private part (by accessing the "secret" entity on the KV)

    This doesn't make sense.

    At…

    42 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  4. Full PKI infrastructure in KeyVault for Users/computer certificate

    It could be nice to have a real PKI management in KeyVault. For cloud environnement it's something missing.
    It would be a plus that it could interract with intune for user's certificate.
    Like a PaaS PKI.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  5. Fix your DigiCert Automation Integration

    Fix your DigiCert integration. They've changed their SSL products and it's impossible to use KV to Order Basic Wildcard SSL (OV-Basic). You're api will not support any of their new product keywords. I literally spent two days figuring this out on my own. If you are going to tout integrated CA's and automation then make sure it works!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  6. enable support for LetsEncrypt with enrolment and renewal

    Currently, Azure Key Vault can request and manage the life cycle of Digicert certificates (at a rather high cost). Can similar functionality be implemented for Let's Encrypt?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  7. Showing Azure Key Vault Regional Replication

    Presently in Azure portal, you cannot see the information regarding the regional replication or the location. As of now, it is not possible to view the data that are replicated to the secondary region.

    This information is needed for SOC audits and would be helpful to have in the Portal.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  8. SSL Certificate expiry warning at keyvault level

    It would be nice once a cert is put into the keyvault that expiry warnings are automatically applied.

    Currently we configure the warnings at certificate level inside the keyvault, but this can be tedious and certificates can be missed.

    We would like expiry warnings to be automatically applied to a certificate once its placed into the keyvault.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add ability to add RBAC role or Action Group as Azure Key Vault certificate contact

    Would be awesome if you could add the ability to set either / both RBAC roles or a Action Groups as Azure Key Vault certificate contacts.

    This would be very nice to have especially for automation using Lighthouse for authentication, as Lighthouse alone can't be used to read Azure AD to get email addresses.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support storing certificates without private keys

    Right now keyvault doesn't allow storing a certificate WITHOUT the private key in the keyvault. This is useful for a number of use-cases, eg:


    • storing an internal CA public cert in the same place other internal certs are stored

    • Store the public cert for trusted clients, where the private key is only on the client

    The "workaround" right now is to store unsupported cert forms either in a storage account, or as secrets. Storage accounts aren't ideal b/c they are conceptually separate and are not audited in the same way; and don't support the same ability to browse or search…

    25 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  11. Key Vault virtual machine extension for Linux, support for Centos

    Centos is not supported by vm extension Microsoft.Azure.KeyVault.KeyVaultForLinux:
    https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux?branch=pr-en-us-91477

    Operating system
    The Key Vault VM extension supports these Linux distributions:

    Ubuntu-1604
    Ubuntu-1804
    Debian-9
    Suse-15

    ============
    Centos / Redhat is a VERY popular choice for linux servers in azure. Could we please add support for this extension to be used on centos vm's in azure?

    For the record, I'm getting this error when trying to install Microsoft.Azure.KeyVault.KeyVaultForLinux-1.0.921.6 on a centos web host:

    ```````````````````
    cli.azure.cli.core.util : Deployment failed. Correlation ID: 671c3bed-2e64-40fc-a4ed-01d13d5fd3d6. VM has reported a failure when processing extension 'KeyVaultForLinux'. Error message: "Failed to get status file [Errno 2] No such file…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  12. Fix https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview

    My idea is to re-word one of the lines in this article: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview

    There is a line that says, "Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources"

    But this is incorrect. AKV does NOT provision certificates. "Provision" is a term in PKI that suggests accepting CSRs, signing them, thereby creating a certificate. AKV doe NOT accept CSRs and create certificates. But the article, by using that terminology, suggests that it does.…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  13. Show certificate thumbprint in AzurePortal

    Please make a way to see the certificate thumbprints in the Azure portal.
    Perferably there should also be a way to search by thumbprint to identify the corresponding certificate.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow certificate versions to be deleted

    You can create new certificate versions, but you can only delete all versions at the same time, when deleting the certificate itself. If a new cert gets created that shouldn't have been, I can't delete it without deleting my other valid ones. That means that I have to always specify instance versions to retrieve instead of "latest", since I have no way to remove "latest" if it was mistakenly created.

    21 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  15. No Log for downloaded Certs

    Add a Log Analytics OperationName for when a Certificate is downloaded from the Vault. Since the Vault only allows downloading a cert without a PK password, then allow us to generate an alert when the Certificate is downloaded so we can stop a person or check why they downloaded it. Currently non of the operations pinpoint that a download was attempted.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  16. Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding

    Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding.

    According to PCKS #12 we should have a password to protect the private key that is exported with the cert. Currently the key vault gives you a warning during export/download that no password is used, however it doesn't provide the capability to provide a passphrase.

    Strangely enough the API Manager and other Azure Resources require imported certificates to have a passphrase. This makes the two services fairly incompatible.

    It would be good if Certificates exported from KeyVaults have the option to protect the private key with a passphrase as per PKCS…

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  17. Active Directory Certificate Service as external CA Provider

    Create an integration that allows the use of an existing on-prem or Azure VM Active Directory Certificate Services' CA to issue certificates.

    39 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add EV Code Signing certificate support with Azure Pipeline.

    Permit EV code signing of Azure Pipeline builds from certs stored and even created in Key Vault. E.g. Key Valut/DigiCert/other integration to issue the cert.

    Then allow CI builds with no EV and EV for final builds. May need an optional 2FA approval mechanism for a final build 'job'. E.g. Authentication app prompt. But make it optional please.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  19. Rename-AzureKeyVaultCertificate

    Could we please be allowed to Restore into a new name or get a Rename-AzureKeyVaultCertificate?

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  20. Extend KeyVault Certificates funcationality to allow for use as an Enterprise CA.

    Extend the functionality of Key Vault Certificates to all for using as an Enterprise CA with functionality similar to Active Directory Certificate Services.

    New service should integrate with the virtual network.
    Should support the use of modern crypto and hashing.
    Should support ECDSA Keys
    Should support root CA key being in an HSM.
    Should auto configure an OcSP end point.
    Should warn against use of legacy crypto.
    Should allow for cross-subscription connecting (need to connect my dev\test key vault to my enterprise keyvault CA.
    Should integrate with KeyVault Policies to allow for RBAC.

    Post Setup: Allow export of GPO for…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base