About Azure Key Vault certificates (2023)

  • Article
  • 8 minutes to read

Azure Key Vault certificate support provides for management of your X.509 certificates and the following behaviors:

  • Allows a certificate owner to create a certificate through a key vault creation process or through the import of an existing certificate. Imported certificates include both self-signed certificates and certificates that are generated from a certificate authority (CA).

  • Allows a Key Vault certificate owner to implement secure storage and management of X.509 certificates without interacting with private key material.

  • Allows a certificate owner to create a policy that directs Key Vault to manage the lifecycle of a certificate.

  • Allows a certificate owner to provide contact information for notifications about the lifecycle events of expiration and renewal.

  • Supports automatic renewal with selected issuers: Key Vault partner X.509 certificate providers and CAs.


    Non-partnered providers and authorities are also allowed but don't support automatic renewal.

For details on certificate creation, see Certificate creation methods.

(Video) Azure Key Vault Tutorial : Step-By-Step-Demo | Secret, Key, Certificates

Composition of a certificate

When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations, and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public X.509 certificate metadata.

The identifier and version of certificates are similar to those of keys and secrets. A specific version of an addressable key and secret created with the Key Vault certificate version is available in the Key Vault certificate response.

About Azure Key Vault certificates (1)

Exportable or non-exportable key

When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy that's used to create the certificate must indicate that the key is exportable. If the policy indicates that the key is non-exportable, then the private key isn't a part of the value when it's retrieved as a secret.

The addressable key becomes more relevant with non-exportable Key Vault certificates. The addressable Key Vault key's operations are mapped from the keyusage field of the Key Vault certificate policy that's used to create the Key Vault certificate.

The following table lists supported key types.

Key typeAboutSecurity
RSASoftware-protected RSA keyFIPS 140-2 Level 1
RSA-HSMHSM-protected RSA key (Premium SKU only)FIPS 140-2 Level 2 HSM
ECSoftware-protected elliptic curve keyFIPS 140-2 Level 1
EC-HSMHSM-protected elliptic curve key (Premium SKU only)FIPS 140-2 Level 2 HSM
octSoftware-protected octet keyFIPS 140-2 Level 1

Exportable keys are allowed only with RSA and EC. HSM keys are non-exportable. For more information about key types, see Create certificates.

In addition to certificate metadata, an addressable key, and an addressable secret, a Key Vault certificate contains attributes and tags.


The certificate attributes are mirrored to attributes of the addressable key and secret that are created when the Key Vault certificate is created.

A Key Vault certificate has the following attribute:

  • enabled: This Boolean attribute is optional. Default is true. It can be specified to indicate if the certificate data can be retrieved as a secret or operable as a key.

    This attribute is also used with nbf and exp when an operation occurs between nbf and exp, but only if enabled is set to true. Operations outside the nbf and exp window are automatically disallowed.

    (Video) Managing Azure Key Vault Certificates

A response includes these additional read-only attributes:

  • created: IntDate indicates when this version of the certificate was created.
  • updated: IntDate indicates when this version of the certificate was updated.
  • exp: IntDate contains the value of the expiration date of the X.509 certificate.
  • nbf: IntDate contains the value of the "not before" date of the X.509 certificate.


If a Key Vault certificate expires, its addressable key and secret become inoperable.


Tags for certificates are a client-specified dictionary of key/value pairs, much like tags in keys and secrets.


A caller can read tags if they have the list or get permission to that object type (keys, secrets, or certificates).

Certificate policy

A certificate policy contains information on how to create and manage the lifecycle of a Key Vault certificate. When a certificate with private key is imported into the key vault, the Key Vault service creates a default policy by reading the X.509 certificate.

When a Key Vault certificate is created from scratch, a policy needs to be supplied. The policy specifies how to create this Key Vault certificate version or the next Key Vault certificate version. After a policy has been established, it isn't required with successive create operations for future versions. There's only one instance of a policy for all the versions of a Key Vault certificate.

At a high level, a certificate policy contains the following information:

  • X.509 certificate properties, which include subject name, subject alternate names, and other properties that are used to create an X.509 certificate request.

    (Video) how to create a Azure Key vault and azure certificates

  • Key properties, which include key type, key length, exportable, and ReuseKeyOnRenewal fields. These fields instruct Key Vault on how to generate a key.

    Supported key types are RSA, RSA-HSM, EC, EC-HSM, and oct.

  • Secret properties, such as the content type of an addressable secret to generate the secret value, for retrieving a certificate as a secret.

  • Lifetime actions for the Key Vault certificate. Each lifetime action contains:

    • Trigger: Specified as days before expiration or lifetime span percentage.
    • Action: emailContacts or autoRenew.
  • Parameters about the certificate issuer to use for issuing X.509 certificates.

  • Attributes associated with the policy.

For more information, see Set-AzKeyVaultCertificatePolicy.

Mapping X.509 usage to key operations

The following table represents the mapping of X.509 key usage policies to effective key operations of a key that's created as part of Key Vault certificate creation.

X.509 key usage flagsKey Vault key operationsDefault behavior
DataEnciphermentencrypt, decryptNot applicable
DecipherOnlydecryptNot applicable
DigitalSignaturesign, verifyKey Vault default without a usage specification at certificate creation time
EncipherOnlyencryptNot applicable
KeyCertSignsign, verifyNot applicable
KeyEnciphermentwrapKey, unwrapKeyKey Vault default without a usage specification at certificate creation time
NonRepudiationsign, verifyNot applicable
crlsignsign, verifyNot applicable

Certificate issuer

A Key Vault certificate object holds a configuration that's used to communicate with a selected certificate issuer provider to order X.509 certificates.

Key Vault partners with the following certificate issuer providers for TLS/SSL certificates.

Provider nameLocations
DigiCertSupported in all Key Vault service locations in public cloud and Azure Government
GlobalSignSupported in all Key Vault service locations in public cloud and Azure Government

Before a certificate issuer can be created in a key vault, an administrator must take the following prerequisite steps:

  1. Onboard the organization with at least one CA provider.

    (Video) AZ-900 Episode 27 | Azure Key Vault | Secret, Key and Certificate Management

  2. Create requester credentials for Key Vault to enroll (and renew) TLS/SSL certificates. This step provides the configuration for creating an issuer object of the provider in the key vault.

For more information on creating issuer objects from the certificate portal, see the Key Vault Team Blog.

Key Vault allows for the creation of multiple issuer objects with different issuer provider configurations. After an issuer object is created, its name can be referenced in one or multiple certificate policies. Referencing the issuer object instructs Key Vault to use the configuration as specified in the issuer object when it's requesting the X.509 certificate from the CA provider during certificate creation and renewal.

Issuer objects are created in the vault. They can be used only with Key Vault certificates in the same vault.


Publicly trusted certificates are sent to CAs and certificate transparency (CT) logs outside the Azure boundary during enrollment. They're covered by the GDPR policies of those entities.

Certificate contacts contain contact information for sending notifications triggered by certificate lifetime events. All the certificates in the key vault share the contact information.

A notification is sent to all the specified contacts for an event for any certificate in the key vault. For information on how to set a certificate contact, see Renew your Azure Key Vault certificates.

Certificate access control

Key Vault manages access control for certificates. The key vault that contains those certificates provides access control. The access control policy for certificates is distinct from the access control policies for keys and secrets in the same key vault.

Users can create one or more vaults to hold certificates, to maintain scenario-appropriate segmentation and management of certificates. For more information, see Certificate access control.

Certificate use cases

Secure communication and authentication

TLS certificates can help encrypt communications over the internet and establish the identity of websites. This encryption makes the entry point and mode of communication more secure. Additionally, a chained certificate that's signed by a public CA can help verify that the entities holding the certificates are legitimate.

(Video) Azure Key Vault Deep Dive (AZ-500)

As an example, here are some use cases of using certificates to secure communication and enable authentication:

  • Intranet/internet websites: Protect access to your intranet site and ensure encrypted data transfer over the internet through TLS certificates.
  • IoT and networking devices: Protect and secure your devices by using certificates for authentication and communication.
  • Cloud/multicloud: Secure cloud-based applications on-premises, cross-cloud, or in your cloud provider's tenant.

Code signing

A certificate can help secure the code/script of software, to ensure that the author can share the software over the internet without interference by malicious entities. After the author signs the code by using a certificate and taking advantage of code-signing technology, the software is marked with a stamp of authentication that displays the author and their website. The certificate used in code signing helps validate the software's authenticity, promoting end-to-end security.

Next steps

  • Certificate creation methods
  • About Key Vault
  • About keys, secrets, and certificates
  • About keys
  • About secrets
  • Key management in Azure
  • Authentication, requests, and responses
  • Key Vault developer's guide


What are certificates in Azure key vault? ›

A certificate issuer is an entity represented in Azure Key Vault (KV) as a CertificateIssuer resource. It is used to provide information about the source of a KV certificate; issuer name, provider, credentials, and other administrative details.

What is key vault certificate? ›

Azure Key Vault enables Microsoft Azure applications and users to store and use certificates, which are built on top of keys and secrets and add an automated renewal feature.

What certificate format for Azure key Vault? ›

In Azure Key Vault, supported certificate formats are PFX and PEM. . pem file format contains one or more X509 certificate files.

What are the 3 types of certificates? ›

There are three recognized categories of SSL certificate authentication types:
  • Extended Validation (EV)
  • Organization Validation (OV)
  • Domain Validation (DV)

What is the main purpose of using certificates? ›

A certificate is like a passport: it identifies the holder and provides other important information. Certificates are issued by a trusted third party called a Certification Authority (CA).

What are the two types of keys available in encryption in Azure? ›

Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-protected and HSM-protected (Hardware Security Module) keys.

What is Azure key Vault summary? ›

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal. In this quickstart, you create a key vault, then use it to store a secret.

What is the primary benefit of Azure key vault? ›

Key Vault greatly reduces the chances that secrets may be accidentally leaked. When application developers use Key Vault, they no longer need to store security information in their application. Not having to store security information in applications eliminates the need to make this information part of the code.

How does a key certificate work? ›

The certificate is signed by the Issuing Certificate authority, and this it what guarantees the keys. Now when someone wants your public keys, you send them the certificate, they verify the signature on the certificate, and if it verifies, then they can trust your keys.

How does Keyvault store passwords? ›

The type property must be set to: AzureKeyVault. Specify the Azure Key Vault URL. Select the provisioned Azure Key Vault where your credentials are stored. You can do Test Connection to make sure your AKV connection is valid.

How does Keyvault work? ›

Azure Key Vault enables users to securely store and manage sensitive data like keys, passwords, certificates, and other sensitive information. These are kept in centralized storage that is protected by industry-standard algorithms and hardware security modules.

Where are certificates stored in Azure? ›

Certificates are stored in nonvolatile storage on the Azure Sphere device. The certificate store, or cert store, can hold up to 24 KiB of certificates. The maximum size for a certificate is 8 KiB.

What is the difference between certificate and secret in Azure key vault? ›

Object types

Secrets: Provides secure storage of secrets, such as passwords and database connection strings. For more information, see About secrets. Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature.

How do I store certificates in vault? ›

You have three methods for configuring a root CA in Vault: Generate a self-signed root CA issued by Vault Bring your own offline root CA Import a CA certificate and private key bundle using the pki/config/ca endpoint.

What are the two types of SSL certificates? ›

There are three types of SSL Certificate available today; Extended Validation (EV SSL), Organization Validated (OV SSL) and Domain Validated (DV SSL). The encryption levels are the same for each certificate, what differs is the vetting and verification processes needed to obtain the certificate.

What is the difference between private key and certificate? ›

The owner of the key pair makes the public key available to anyone, but keeps the private key secret. A certificate verifies that an entity is the owner of a particular public key. Certificates that follow the X. 509 standard contain a data section and a signature section.

What are examples of certificates? ›

For example, a Certified Public Accountant can practice as a CPA across the accounting profession.
Other examples might include:
  • CFA (Chartered Financial Analyst)
  • CIPM (Certificate in Investment Performance Measurement)
  • RA (Registered Architect)
  • CPL (Commercial Pilot License)
  • CMP (Certified Meeting Professional)
Feb 25, 2020

What is the difference between key and certificate? ›

A certificate is a trusted document that contains a public key and other data of the respective private key owner. Examples of such data are the private key owner identification and the possible connections established with the private key owner.

Why certificates are better than passwords? ›

Certificates can't be forgotten, as is the case with passwords (although they can be misplaced). The private key contained within a certificate is of high cryptographic strength. This is not generally the case with user-defined passwords, which can often be guessed.

What are the benefits of a certificate? ›

Some of the key benefits of certification include:
  • Validation of knowledge.
  • Increased marketability.
  • Increased earning power.
  • Enhanced academic performance.
  • Improved reputation.
  • Enhanced credibility.
  • Increased confidence.
  • Respect from peers.

How many secrets can a Azure key vault hold? ›

Key Vault does not restrict the number of keys, secrets or certificates that can be stored in a vault.

What are the four 4 most secure encryption techniques? ›

11. What are the 4 basic types of encryption systems?
  • Advanced Encryption Standard (AES)
  • Triple DES.
  • Blowfish.
  • Rivest-Shamir-Adleman (RSA)
Nov 11, 2022

How many key vaults should you use? ›

Use separate key vaults

Our recommendation is to use a vault per application per environment (development, pre-production, and production), per region.

What are the permission levels in Azure key vault? ›

The Azure RBAC model provides the ability to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates.

Who has access to Azure key vault? ›

User-only: The user accesses the key vault from any application registered in the tenant. Examples of this type of access include Azure PowerShell and the Azure portal.

Where do I use Azure key vault? ›

Create a vault
  • From the Azure portal menu, or from the Home page, select Create a resource.
  • In the Search box, enter Key Vault.
  • From the results list, choose Key Vault.
  • On the Key Vault section, choose Create.
  • On the Create key vault section provide the following information: ...
  • Select Create.
Jan 24, 2023

How do I authenticate key vault in Azure? ›

There are three ways to authenticate to Azure Key Vault:
  1. Managed Identities.
  2. Service Principal and Secret. You can use a Service Principal and a secret to access a key vault. ...
  3. Service Principal and Certificate. You can use a Service Principal and associated certificates to access key vault.
May 6, 2020

Do certificate keys expire? ›

Certificates have an expiration date, after which the certificate / public key is generally not used to verify the signature anymore. Expiration is generally not part of the cryptographic algorithms; it's more of a responsibility of the system / implementation than cryptography itself.

How do I get my key vault certificate? ›

On the Key Vault properties pages, select Certificates. Click on Generate/Import. On the Create a certificate screen choose the following values: Method of Certificate Creation: Generate.

How do I create a .key certificate? ›

Generate a key file that you will use to generate a certificate signing request.
  1. Open the Command Prompt as an administrator, and navigate to the Apache directory for Tableau Server. For example, run the following command: ...
  2. Run the following command to create the key file: openssl.exe genrsa -out <yourcertname>.key 4096.

Can Keyvault be used as password manager? ›

Some common uses of Azure Key Vault are; Provides a central interface to store and manage keys, secrets and policies. Enable in storing and managing key and password data for applications without directly giving them access to keys data.

How do I add a user and password to Azure key vault? ›

In the Azure portal, navigate to the Key Vault resource. Select the permissions you want under Key permissions, Secret permissions, and Certificate permissions. Under the Principal selection pane, enter the name of the user, app or service principal in the search field and select the appropriate result.

Can we store file in Keyvault? ›

You can also use Key Vault to store a multi-line secret, such as a JSON file or RSA private key.

How do you get secrets from Keyvault? ›

Retrieve a secret from Key Vault

Use https://<your-unique-keyvault-name>.vault.azure.net/secrets/ExamplePassword to get the current version. Now, you have created a Key Vault, stored a secret, and retrieved it.

How do you deploy a key vault? ›

Deploy the template
  1. Subscription: select an Azure subscription.
  2. Resource group: select Create new, enter a unique name for the resource group, and then click OK.
  3. Location: select a location. ...
  4. Key Vault Name: enter a name for the key vault, which must be globally unique within the .
Nov 24, 2021

What are certificates in Azure? ›

Certificates are used in Azure for cloud services (service certificates) and for authenticating with the management API (management certificates).

Can Azure key vault generate certificate? ›

There are several ways to create a Key Vault certificate. Get an overview of the Azure Key Vault REST interface and certificates. Scenarios demonstrating a range of options for creating, monitoring, and interacting with the certificate creation process with Key Vault.

Is Azure key vault a certificate authority? ›

Azure Key Vault has a trusted partnership with the following Certificate Authorities: DigiCert. GlobalSign.

What are the top 3 certifications in Azure? ›

  • Microsoft Certified: Azure AI Fundamentals (AI-900)
  • Microsoft Certified: Azure Data Fundamentals (DP-900)
  • Microsoft Certified: Azure Fundamental (AZ-900)
  • Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900)
Feb 7, 2023

How many certifications are there in Azure? ›

There are four levels of Microsoft Azure certification. They are: Fundamentals-level certifications: Perfect for non-technical people who want to get started in cloud computing and cloud professionals who are just beginning.

Can I store certificates in vault? ›

Vault only allows one CA certificate per secrets engine. If you want to issue certificates from multiple CAs, mount the PKI secrets engine at multiple mount points with separate CA certificates in each.

What happens when an Azure key vault secret expires? ›

The expiration date attribute configured for an Azure Key Vault secret identifies the expiration time after which the secret must not be used anymore for storing sensitive and confidential data such as passwords and database connection strings.


1. Azure Key Vault Certificate Management
(CBT Nuggets)
2. Azure Key Vault Tutorial | Secure secrets, keys and certificates easily
(Adam Marczak - Azure for Everyone)
3. How to use Azure Key Vault + .NET Core easily | Secrets, Keys and Certificates - English
(Jose Async)
4. Using Azure Key Vault Certificate, Secrets, and Keys
(John Christopher)
5. Certificate Based Authentication for Azure Key Vault
(Rahul Nath)
6. What is Azure Key Vault? | How to Deploy an Azure Key Vault


Top Articles
Latest Posts
Article information

Author: The Hon. Margery Christiansen

Last Updated: 10/14/2023

Views: 6042

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.