Azure Key Vault
We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow
-
Cert deployment - Allow regions to be different for keyvault and VM
today, VM and keyvault needs to be in same region. This causes lot of pain for services that have deployments in all Azure regions. We need to copy and rollover all same cert in all regions..
40 votes -
Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding
Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding.
According to PCKS #12 we should have a password to protect the private key that is exported with the cert. Currently the key vault gives you a warning during export/download that no password is used, however it doesn't provide the capability to provide a passphrase.
Strangely enough the API Manager and other Azure Resources require imported certificates to have a passphrase. This makes the two services fairly incompatible.
It would be good if Certificates exported from KeyVaults have the option to protect the private key with a passphrase as per PKCS…
26 votes -
Allow configuration of a webhook to be called when KeyVault renews a certificate
When a certificate needs renewal there is often times additional work that needs to occur to configure consumers of the new certificate. Allow KeyVault to emit webhook calls on events such as certificate renewal so that a downstream service can consume this event and execute any needed configuration changes.
24 votes -
Add EV Code Signing certificate support with Azure Pipeline.
Permit EV code signing of Azure Pipeline builds from certs stored and even created in Key Vault. E.g. Key Valut/DigiCert/other integration to issue the cert.
Then allow CI builds with no EV and EV for final builds. May need an optional 2FA approval mechanism for a final build 'job'. E.g. Authentication app prompt. But make it optional please.
18 votes -
ARM Template support for Certificates and Issuers
Hi,
Currently KeyVault only supports adding new secrets using ARM templates.
Certificates are common part of any service today, just like secrets, and I would like to be able to create them in my vault using my ARM templates.
Due to this limitation, currently my provisioning scripts are split to 3 parts(!):
1. ARM Template for preparation (create the KV)
2. Powershell to create the certificates inside the KV
3. ARM Template for the remaining provisioning, that in some parts rely on getting the certificate private part (by accessing the "secret" entity on the KV)This doesn't make sense.
At…
15 votes -
Add support for storage and retrieval of password protected certificates
Currently all password protections applied on a certificate are stripped when they are uploaded and saved into Azure Key Vault. We would like to have the option of storing both the certificate and the password via the "az keyvault certificate import/download" set of cli commands with a toggleable optional argument to choose to preserve the transmission of the private key into and out of the keyvault along with the base certificate data together.
14 votes -
Allow self-signed certificates to have a custom-set password
Currently, self-signed certs created in the portal do not have a way to allow passwords to be set. This causes a problem when the PFX is needed to be uploaded to other Azure services, as they require passwords. Please allow a way for a password to be set on any self-signed certificate created in the Azure Key Vault portal.
11 votes -
Support storing certificates without private keys
Right now keyvault doesn't allow storing a certificate WITHOUT the private key in the keyvault. This is useful for a number of use-cases, eg:
- storing an internal CA public cert in the same place other internal certs are stored
- Store the public cert for trusted clients, where the private key is only on the client
The "workaround" right now is to store unsupported cert forms either in a storage account, or as secrets. Storage accounts aren't ideal b/c they are conceptually separate and are not audited in the same way; and don't support the same ability to browse or search…
8 votes -
Active Directory Certificate Service as external CA Provider
Create an integration that allows the use of an existing on-prem or Azure VM Active Directory Certificate Services' CA to issue certificates.
8 votes -
Add Support for Future/Scheduled Certificate Versions
I would like the ability to create a new certificate version in advance while continuing to use the current version for some time. In my scenario, I have a server application that issues digital signatures that IoT devices in the field need to verify, and the devices need the application’s public-key-containing certificate to perform this operation.
Currently, when I renew the server application’s certificate, I must distribute it to all devices at that point in a “big bang” fashion. (To be precise, the devices detect that the certificate thumbprint sent with the signatures has changed, and they get the new…
6 votes -
Support certificate revocation
Key vault supports obtaining certificates from number of CAs and this works great.
However, Key Vault does not currently provide interface to revoke such certificates, leaving a gap in certificate lifecycle management.
Please extend integration between Key Vault and supported CAs to support revocation in addition to issuance.
6 votes -
Add support for certificate request from Azure Key vault
Add support to create certificate requests from Azure Key Vault.
This would enable PDF signing in the cloud. And would open many possibilities for cloud based e-ID solutions.Adobe pdf signing certificates have requirements for hsm, smart card or equivalent secure storage so being able to have this in the Azure Key vault would be very useful.
6 votes -
Ability to sign cert with another self-signed cert
It would be nice to create a root cert and store it in the keyvault. Then, create other self signed certs that are signed by the root cert. This would allow me to create a single CA for my cluster, then create certs for the various microservices in the cluster so they could communicate securely. I would simply need to install the root cert on all the machines.
5 votes -
Pls add ECDSA certificate support to Azure Key Vault.
Pls add ECDSA certificate support to Azure Key Vault.
3 votes -
Rename-AzureKeyVaultCertificate
Could we please be allowed to Restore into a new name or get a Rename-AzureKeyVaultCertificate?
2 votes -
Extend KeyVault Certificates funcationality to allow for use as an Enterprise CA.
Extend the functionality of Key Vault Certificates to all for using as an Enterprise CA with functionality similar to Active Directory Certificate Services.
New service should integrate with the virtual network.
Should support the use of modern crypto and hashing.
Should support ECDSA Keys
Should support root CA key being in an HSM.
Should auto configure an OcSP end point.
Should warn against use of legacy crypto.
Should allow for cross-subscription connecting (need to connect my dev\test key vault to my enterprise keyvault CA.
Should integrate with KeyVault Policies to allow for RBAC.Post Setup: Allow export of GPO for…
2 votes -
Key Vault virtual machine extension for Linux, support for Centos
Centos is not supported by vm extension Microsoft.Azure.KeyVault.KeyVaultForLinux:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux?branch=pr-en-us-91477Operating system
The Key Vault VM extension supports these Linux distributions:Ubuntu-1604
Ubuntu-1804
Debian-9
Suse-15============
Centos / Redhat is a VERY popular choice for linux servers in azure. Could we please add support for this extension to be used on centos vm's in azure?For the record, I'm getting this error when trying to install Microsoft.Azure.KeyVault.KeyVaultForLinux-1.0.921.6 on a centos web host:
```````````````````
cli.azure.cli.core.util : Deployment failed. Correlation ID: 671c3bed-2e64-40fc-a4ed-01d13d5fd3d6. VM has reported a failure when processing extension 'KeyVaultForLinux'. Error message: "Failed to get status file [Errno 2] No such file…1 vote -
Show keys/secrets paths next to certificates path
In the key vault portal, when you view a certificate, the top URL is the "Certificate Identifier". If you specify this in Express V2 deployment, it will only contain the public key. If you need the cert with private key, you have to go to the bottom of the page and look for the "Secret Identifier" URL and use that instead. IMO, the "Key Identifier", "Secret Identifier" and "Certificate Identifier" URLs should all be at the top of the certificate version page, and they should have some help text to indicate the difference.
1 vote -
Allow certificate versions to be deleted
You can create new certificate versions, but you can only delete all versions at the same time, when deleting the certificate itself. If a new cert gets created that shouldn't have been, I can't delete it without deleting my other valid ones. That means that I have to always specify instance versions to retrieve instead of "latest", since I have no way to remove "latest" if it was mistakenly created.
1 vote -
CDN - SSL - Incorrect version selected on dropdown
CDN Profiles -> Custom Domain -> HTTPS -> Own certificate, once the KeyVault Certificate/Secret Version dropdown is loaded, it seems to always select the first item (current version) even though it is an older version that's currently deployed.
In order to actually deploy the current version, user will need to first select an older version and then re-select the current version because the save button is disabled by default.
1 vote
- Don't see your idea?