today, VM and keyvault needs to be in same region. This causes lot of pain for services that have deployments in all Azure regions. We need to copy and rollover all same cert in all regions..

When a certificate needs renewal there is often times additional work that needs to occur to configure consumers of the new certificate. Allow KeyVault to emit webhook calls on events such as certificate renewal so that a downstream service can consume this event and execute any needed configuration changes.

Permit EV code signing of Azure Pipeline builds from certs stored and even created in Key Vault. E.g. Key Valut/DigiCert/other integration to issue the cert.

Then allow CI builds with no EV and EV for final builds. May need an optional 2FA approval mechanism for a final build 'job'. E.g. Authentication app prompt. But make it optional please.

Currently, self-signed certs created in the portal do not have a way to allow passwords to be set. This causes a problem when the PFX is needed to be uploaded to other Azure services, as they require passwords. Please allow a way for a password to be set on any self-signed certificate created in the Azure Key Vault portal.

Currently all password protections applied on a certificate are stripped when they are uploaded and saved into Azure Key Vault. We would like to have the option of storing both the certificate and the password via the "az keyvault certificate import/download" set of cli commands with a toggleable optional argument to choose to preserve the transmission of the private key into and out of the keyvault along with the base certificate data together.

Create an integration that allows the use of an existing on-prem or Azure VM Active Directory Certificate Services' CA to issue certificates.

Add support to create certificate requests from Azure Key Vault.
This would enable PDF signing in the cloud. And would open many possibilities for cloud based e-ID solutions.

Adobe pdf signing certificates have requirements for hsm, smart card or equivalent secure storage so being able to have this in the Azure Key vault would be very useful.

It would be nice to create a root cert and store it in the keyvault. Then, create other self signed certs that are signed by the root cert. This would allow me to create a single CA for my cluster, then create certs for the various microservices in the cluster so they could communicate securely. I would simply need to install the root cert on all the machines.

Pls add ECDSA certificate support to Azure Key Vault.

Key vault supports obtaining certificates from number of CAs and this works great.

However, Key Vault does not currently provide interface to revoke such certificates, leaving a gap in certificate lifecycle management.

Please extend integration between Key Vault and supported CAs to support revocation in addition to issuance.

In the key vault portal, when you view a certificate, the top URL is the "Certificate Identifier". If you specify this in Express V2 deployment, it will only contain the public key. If you need the cert with private key, you have to go to the bottom of the page and look for the "Secret Identifier" URL and use that instead. IMO, the "Key Identifier", "Secret Identifier" and "Certificate Identifier" URLs should all be at the top of the certificate version page, and they should have some help text to indicate the difference.

You can create new certificate versions, but you can only delete all versions at the same time, when deleting the certificate itself. If a new cert gets created that shouldn't have been, I can't delete it without deleting my other valid ones. That means that I have to always specify instance versions to retrieve instead of "latest", since I have no way to remove "latest" if it was mistakenly created.

CDN Profiles -> Custom Domain -> HTTPS -> Own certificate, once the KeyVault Certificate/Secret Version dropdown is loaded, it seems to always select the first item (current version) even though it is an older version that's currently deployed.

In order to actually deploy the current version, user will need to first select an older version and then re-select the current version because the save button is disabled by default.

Could we please be allowed to Restore into a new name or get a Rename-AzureKeyVaultCertificate?

I had come across scenario wherein AZURE Key vault doesn’t clear entries of User/application in the “Access policies”, when we delete respective object in Azure AD. I’m wondering, if this require manual way of clearing all stale reference in AKV access polices on regular basis? if that is the case, can we include this feature with upcoming release so that customer needn’t to worry about manually cleanup?

Please refer attached screenshot which has multiple stale reference part of Access polices, even though actual object were deleted from Azure AD tenant.

Currently, the only way to upload a certificate to a Key Vault is to have the file stored locally on the computer that is doing the upload.
Having the possibility to upload the cert from a Blob would be ideal, as that would mean our certificates could be safely hosted being encrypted Azure Storage, and retrieved with a SAS and directly uploaded to Azure Key Vault without needing to download it locally, and then upload it.