Provision Certificates with Azure Key Vault
Question
You have an Azure key vault named KV1.
You need to ensure that applications can use KV1 to provision certificates automatically from an external certification authority (CA).
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.CD
C: Obtain the root CA certificate (step 4 in the picture below)
D: From KV1, create a certificate signing request (CSR) (step 2 in the picture below)
Note:
Creating a certificate with a CA not partnered with Key Vault
This method allows working with other CAs than Key Vault's partnered providers, meaning your organization can work with a CA of its choice.
The following step descriptions correspond to the green lettered steps in the preceding diagram.
1. In the diagram above, your application is creating a certificate, which internally begins by creating a key in your key vault.
2. Key Vault returns to your application a Certificate Signing Request (CSR).
3. Your application passes the CSR to your chosen CA.
4. Your chosen CA responds with an X509 Certificate.
5. Your application completes the new certificate creation with a merger of the X509 Certificate from your CA.
https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenariosTo provision certificates automatically from an external certification authority (CA) using Azure Key Vault, you need to perform the following two actions:
A. From KV1, create a certificate issuer resource: To allow Key Vault to authenticate with the external CA and obtain certificates, you need to create a certificate issuer resource in the Key Vault. The certificate issuer resource specifies the CA endpoint and authentication information. To create a certificate issuer resource in Key Vault, you need to perform the following steps:
- Open the Azure portal and navigate to the KV1 Key Vault.
- Select "Certificates" from the left-hand menu, then select "Certificate Issuers."
- Select "Add" to create a new certificate issuer.
- Enter a name for the issuer and select the external CA type.
- Enter the necessary authentication information for the external CA.
- Select "Create" to create the issuer resource.
B. Obtain the CA account credentials: To authenticate with the external CA, you need to obtain the CA account credentials. The CA account credentials typically consist of a username and password or client certificate. You will need to obtain these credentials from the CA administrator or certificate provider.
C. Obtain the root CA certificate: To ensure that the certificates issued by the external CA are trusted by your applications, you need to obtain the root CA certificate. The root CA certificate is used to validate the trust chain of the issued certificates. You can obtain the root CA certificate from the CA administrator or certificate provider.
Therefore, the correct answers are A and B. Answers C, D, and E are not required to provision certificates automatically from an external CA using Azure Key Vault.
