Azure Key Vault allows you to easily provision, manage, and deploy digital certificates for your network and to enable secure communications for applications. A digital certificate is an electronic credential that establishes proof of identity in an electronic transaction.
Azure Key Vault has a trusted partnership with the following Certificate Authorities:
Azure Key Vault users can generate DigiCert/GlobalSign certificates directly from their key vaults. Key Vault's partnership ensures end-to-end certificate lifecycle management for certificates issued by DigiCert.
For more general information about certificates, see Azure Key Vault certificates.
If you don't have an Azure subscription, create a free account before you start.
To complete the procedures in this article, you need to have:
Make sure you have the following information from your DigiCert CertCentral account:
Make sure you have the following information from your Global Sign account:
After you gather the preceding information from your DigiCert CertCentral account, you can add DigiCert to the certificate authority list in the key vault.
DigicertCA is now in the certificate authority list.
GlobalSignCA is now in the certificate authority list.
You can use Azure PowerShell to create and manage Azure resources by using commands or scripts. Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through the Azure portal in a browser.
New-AzResourceGroup -Name ContosoResourceGroup -Location EastUS
New-AzKeyVault -Name 'Contoso-Vaultname' -ResourceGroupName 'ContosoResourceGroup' -Location 'EastUS'
$accountId = "myDigiCertCertCentralAccountID" $org = New-AzKeyVaultCertificateOrganizationDetail -Id OrganizationIDfromDigiCertAccount $secureApiKey = ConvertTo-SecureString DigiCertCertCentralAPIKey -AsPlainText –Force
Set-AzKeyVaultCertificateIssuer -VaultName "Contoso-Vaultname" -Name "TestIssuer01" -IssuerProvider DigiCert -AccountId $accountId -ApiKey $secureApiKey -OrganizationDetails $org -PassThru
$Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "TestIssuer01" -ValidityInMonths 12 -RenewAtNumberOfDaysBeforeExpiry 60 Add-AzKeyVaultCertificate -VaultName "Contoso-Vaultname" -Name "ExampleCertificate" -CertificatePolicy $Policy
The certificate is now issued by DigiCert certificate authority in the specified key vault.
If the certificate issued is in disabled status in the Azure portal, view the certificate operation to review the DigiCert error message for the certificate:
Error message: "Please perform a merge to complete this certificate request."
Merge the CSR signed by the certificate authority to complete the request. For information about merging a CSR, see Create and merge a CSR.