Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Private CA (Certificate Authority) certificate issuing capability

    Provide native Private CA (Certificate Authority) capability in Azure so that private certificates can be issued.

    AWS has this feature, why not Azure?
    https://aws.amazon.com/certificate-manager/private-certificate-authority/

    25 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. Full PKI infrastructure in KeyVault for Users/computer certificate

    It could be nice to have a real PKI management in KeyVault. For cloud environnement it's something missing.
    It would be a plus that it could interract with intune for user's certificate.
    Like a PaaS PKI.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  3. KeyVault should interface with an organization's private CA

    For: organizations that have a private certificate authority.
    Goal: avoid certificates in email and manual uploads.
    New feature: configure private CA endpoint in KeyVault, then have the KeyVault arrange a csr and have it signed by the connected private CA and stored back in the KeyVault.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  4. Use Key Vault Certificates Officer (Not Key Vault Secrets Officer) for App Service PFX Import

    In order to allow an App Service to import a PFX from a Key Vault which is under the preview RBAC roles, you have to grant the Microsoft Azure WebSites application the Key Vault Secrets Officer RBAC role.

    This is misleading. The certificate in question is in the certificates "folder" of the Key Vault, not the "secrets" folder.

    It would seem more appropriate to grant the application the Key Vault Certificates Officer RBAC role.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  5. enable support for LetsEncrypt with enrolment and renewal

    Currently, Azure Key Vault can request and manage the life cycle of Digicert certificates (at a rather high cost). Can similar functionality be implemented for Let's Encrypt?

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  6. Fix your DigiCert Automation Integration

    Fix your DigiCert integration. They've changed their SSL products and it's impossible to use KV to Order Basic Wildcard SSL (OV-Basic). You're api will not support any of their new product keywords. I literally spent two days figuring this out on my own. If you are going to tout integrated CA's and automation then make sure it works!

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow Azure Key Vault Certificate user (read only) RBAC role

    Allow Azure Key Vault Certificate user (read only) RBAC role, because right now it's only possible to have a Certificate Officer. I can think of lots of scenario's where you only want to allow read access to a certificate, instead of allowing both read, write and delete permissions.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  8. ARM Template support for Certificates and Issuers

    Hi,

    Currently KeyVault only supports adding new secrets using ARM templates.

    Certificates are common part of any service today, just like secrets, and I would like to be able to create them in my vault using my ARM templates.

    Due to this limitation, currently my provisioning scripts are split to 3 parts(!):
    1. ARM Template for preparation (create the KV)
    2. Powershell to create the certificates inside the KV
    3. ARM Template for the remaining provisioning, that in some parts rely on getting the certificate private part (by accessing the "secret" entity on the KV)

    This doesn't make sense.

    At…

    45 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  9. Showing Azure Key Vault Regional Replication

    Presently in Azure portal, you cannot see the information regarding the regional replication or the location. As of now, it is not possible to view the data that are replicated to the secondary region.

    This information is needed for SOC audits and would be helpful to have in the Portal.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  10. Key Vault virtual machine extension for Linux, support for Centos

    Centos is not supported by vm extension Microsoft.Azure.KeyVault.KeyVaultForLinux:
    https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux?branch=pr-en-us-91477

    Operating system
    The Key Vault VM extension supports these Linux distributions:

    Ubuntu-1604
    Ubuntu-1804
    Debian-9
    Suse-15

    ============
    Centos / Redhat is a VERY popular choice for linux servers in azure. Could we please add support for this extension to be used on centos vm's in azure?

    For the record, I'm getting this error when trying to install Microsoft.Azure.KeyVault.KeyVaultForLinux-1.0.921.6 on a centos web host:

    ```````````````````
    cli.azure.cli.core.util : Deployment failed. Correlation ID: 671c3bed-2e64-40fc-a4ed-01d13d5fd3d6. VM has reported a failure when processing extension 'KeyVaultForLinux'. Error message: "Failed to get status file [Errno 2] No such file…

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  11. SSL Certificate expiry warning at keyvault level

    It would be nice once a cert is put into the keyvault that expiry warnings are automatically applied.

    Currently we configure the warnings at certificate level inside the keyvault, but this can be tedious and certificates can be missed.

    We would like expiry warnings to be automatically applied to a certificate once its placed into the keyvault.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support storing certificates without private keys

    Right now keyvault doesn't allow storing a certificate WITHOUT the private key in the keyvault. This is useful for a number of use-cases, eg:


    • storing an internal CA public cert in the same place other internal certs are stored

    • Store the public cert for trusted clients, where the private key is only on the client

    The "workaround" right now is to store unsupported cert forms either in a storage account, or as secrets. Storage accounts aren't ideal b/c they are conceptually separate and are not audited in the same way; and don't support the same ability to browse or search…

    32 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add ability to add RBAC role or Action Group as Azure Key Vault certificate contact

    Would be awesome if you could add the ability to set either / both RBAC roles or a Action Groups as Azure Key Vault certificate contacts.

    This would be very nice to have especially for automation using Lighthouse for authentication, as Lighthouse alone can't be used to read Azure AD to get email addresses.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow certificate versions to be deleted

    You can create new certificate versions, but you can only delete all versions at the same time, when deleting the certificate itself. If a new cert gets created that shouldn't have been, I can't delete it without deleting my other valid ones. That means that I have to always specify instance versions to retrieve instead of "latest", since I have no way to remove "latest" if it was mistakenly created.

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  15. Show certificate thumbprint in AzurePortal

    Please make a way to see the certificate thumbprints in the Azure portal.
    Perferably there should also be a way to search by thumbprint to identify the corresponding certificate.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  16. Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding

    Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding.

    According to PCKS #12 we should have a password to protect the private key that is exported with the cert. Currently the key vault gives you a warning during export/download that no password is used, however it doesn't provide the capability to provide a passphrase.

    Strangely enough the API Manager and other Azure Resources require imported certificates to have a passphrase. This makes the two services fairly incompatible.

    It would be good if Certificates exported from KeyVaults have the option to protect the private key with a passphrase as per PKCS…

    72 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  17. No Log for downloaded Certs

    Add a Log Analytics OperationName for when a Certificate is downloaded from the Vault. Since the Vault only allows downloading a cert without a PK password, then allow us to generate an alert when the Certificate is downloaded so we can stop a person or check why they downloaded it. Currently non of the operations pinpoint that a download was attempted.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add EV Code Signing certificate support with Azure Pipeline.

    Permit EV code signing of Azure Pipeline builds from certs stored and even created in Key Vault. E.g. Key Valut/DigiCert/other integration to issue the cert.

    Then allow CI builds with no EV and EV for final builds. May need an optional 2FA approval mechanism for a final build 'job'. E.g. Authentication app prompt. But make it optional please.

    35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  19. Extend KeyVault Certificates funcationality to allow for use as an Enterprise CA.

    Extend the functionality of Key Vault Certificates to all for using as an Enterprise CA with functionality similar to Active Directory Certificate Services.

    New service should integrate with the virtual network.
    Should support the use of modern crypto and hashing.
    Should support ECDSA Keys
    Should support root CA key being in an HSM.
    Should auto configure an OcSP end point.
    Should warn against use of legacy crypto.
    Should allow for cross-subscription connecting (need to connect my dev\test key vault to my enterprise keyvault CA.
    Should integrate with KeyVault Policies to allow for RBAC.

    Post Setup: Allow export of GPO for…

    15 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  20. Rename-AzureKeyVaultCertificate

    Could we please be allowed to Restore into a new name or get a Rename-AzureKeyVaultCertificate?

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base