关于 Azure Key Vault 证书About Azure Key Vault certificates

密钥保管库证书支持适用于 x509 证书管理,它提供以下行为:Key Vault certificates support provides for management of your x509 certificates and the following behaviors:

  • 允许证书所有者通过密钥保管库创建过程或通过导入现有证书来创建证书。Allows a certificate owner to create a certificate through a Key Vault creation process or through the import of an existing certificate. 包括自签名证书和证书颁发机构生成的证书。Includes both self-signed and Certificate Authority generated certificates.
  • 允许密钥保管库证书所有者在不与私钥材料交互的情况下实现 X509 证书的安全存储和管理。Allows a Key Vault certificate owner to implement secure storage and management of X509 certificates without interaction with private key material.
  • 允许证书所有者创建策略来指示密钥保管库如何管理证书的生命周期。Allows a certificate owner to create a policy that directs Key Vault to manage the life-cycle of a certificate.
  • 允许证书所有者提供联系信息用于接收有关证书过期和续订生命周期事件的通知。Allows certificate owners to provide contact information for notification about life-cycle events of expiration and renewal of certificate.
  • 支持在选定的颁发者(密钥保管库合作伙伴 X509 证书提供者/证书颁发机构)处自动续订证书。Supports automatic renewal with selected issuers - Key Vault partner X509 certificate providers / certificate authorities.

备注

也允许使用非合作伙伴提供者/颁发机构,但将不支持自动续订功能。Non-partnered providers/authorities are also allowed but, will not support the auto renewal feature.

证书组合Composition of a Certificate

创建 Key Vault 证书后,还可以创建具有相同名称的可寻址密钥和机密。When a Key Vault certificate is created, an addressable key and secret are also created with the same name. Key Vault 密钥允许密钥操作,Key Vault 机密允许以机密的形式检索证书值。The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. Key Vault 证书还包含公共 x509 证书元数据。A Key Vault certificate also contains public x509 certificate metadata.

标识符和证书版本与密钥和机密的类似。The identifier and version of certificates is similar to that of keys and secrets. 使用 Key Vault 证书版本创建的特定版本的可寻址密钥和机密可用于 Key Vault 证书响应。A specific version of an addressable key and secret created with the Key Vault certificate version is available in the Key Vault certificate response.

证书是复杂的对象

可导出或不可导出密钥Exportable or Non-exportable key

创建 Key Vault 证书后,可以使用 PFX 或 PEM 格式的私钥从可寻址机密中检索该证书。When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. 用于创建证书的策略必须指示密钥可导出。The policy used to create the certificate must indicate that the key is exportable. 如果策略指示密钥不可导出,则在作为机密检索私钥时,该私钥不包括在值中。If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret.

可寻址密钥与不可导出的 KV 证书的相关性变得更高。The addressable key becomes more relevant with non-exportable KV certificates. 可寻址 KV 密钥的操作是从用于创建 KV 证书的 KV 证书策略的“密钥使用情况”字段映射的。The addressable KV key's operations are mapped from keyusage field of the KV certificate policy used to create the KV Certificate.

证书属性和标记Certificate Attributes and Tags

除了证书元数据、可寻址密钥和可寻址机密外,Key Vault 证书还包含属性和标记。In addition to certificate metadata, an addressable key and addressable secret, a Key Vault certificate also contains attributes and tags.

属性Attributes

证书属性将镜像到创建 KV 证书时创建的可寻址密钥和机密的属性。The certificate attributes are mirrored to attributes of the addressable key and secret created when KV certificate is created.

Key Vault 证书具有以下属性:A Key Vault certificate has the following attributes:

  • enabled:布尔型,可选,默认值为 true。enabled: boolean, optional, default is true. 可以指定,以指示证书数据是否可以作为机密进行检索,或者可以作为密钥进行操作。Can be specified to indicate if the certificate data can be retrieved as secret or operable as a key. 还可与 nbf 和 exp 结合使用,如果在 nbf 和 exp 之间出现操作,只有在 enabled 设置为 true 时,才允许该操作 。Also used in conjunction with nbf and exp when an operation occurs between nbf and exp, and will only be permitted if enabled is set to true. nbf 和 exp 时段外的操作会自动禁止。Operations outside the nbf and exp window are automatically disallowed.

在响应中还包括以下其他只读属性:There are additional read-only attributes that are included in response:

  • created:IntDate:指示创建此版本的证书的时间。created: IntDate: indicates when this version of the certificate was created.
  • updated:IntDate:指示更新此版本的证书的时间。updated: IntDate: indicates when this version of the certificate was updated.
  • exp:IntDate:包含 x509 证书的过期日期的值。exp: IntDate: contains the value of the expiry date of the x509 certificate.
  • nbf:IntDate:包含 x509 证书的日期的值。nbf: IntDate: contains the value of the date of the x509 certificate.

备注

如果 Key Vault 证书过期,则它是可寻址密钥,机密变得无法操作。If a Key Vault certificate expires, it's addressable key and secret become inoperable.

TagsTags

客户端指定的键值对字典,类似于密钥和机密中的标记。Client specified dictionary of key value pairs, similar to tags in keys and secrets.

备注

如果调用方具有该对象类型(密钥、机密或证书)的列出或获取权限,则调用方可读取标记 。Tags are readable by a caller if they have the list or get permission to that object type (keys, secrets, or certificates).

证书策略Certificate policy

证书策略包含有关如何创建和管理 Key Vault 证书生命周期的信息。A certificate policy contains information on how to create and manage lifecycle of a Key Vault certificate. 具有私钥的证书导入到密钥保管库时,将通过阅读 x509 证书创建一个默认策略。When a certificate with private key is imported into the key vault, a default policy is created by reading the x509 certificate.

从零开始创建 Key Vault 证书时,需要提供策略。When a Key Vault certificate is created from scratch, a policy needs to be supplied. 该策略指定如何创建此 Key Vault 证书版本或下一个 Key Vault 证书版本。The policy specifies how to create this Key Vault certificate version, or the next Key Vault certificate version. 建立策略后,便不需要使用连续创建操作创建将来的版本。Once a policy has been established, it isn't required with successive create operations for future versions. 所有版本的 Key Vault 证书只有一个策略实例。There's only one instance of a policy for all the versions of a Key Vault certificate.

在高级别,证书策略包含以下信息:At a high level, a certificate policy contains the following information:

  • X509 证书属性:包含主题名称、主题备用名称以及用于创建 x509 证书请求的其他属性。X509 certificate properties: Contains subject name, subject alternate names, and other properties used to create an x509 certificate request.

  • 密钥属性:包含密钥类型、密钥长度、可导出密钥字段和重用密钥字段。Key Properties: contains key type, key length, exportable, and reuse key fields. 这些字段指示密钥保管库如何生成密钥。These fields instruct key vault on how to generate a key.

  • 机密属性:包含可寻址机密的内容类型等机密属性以生成机密值,用于以机密的形式检索证书。Secret properties: contains secret properties such as content type of addressable secret to generate the secret value, for retrieving certificate as a secret.

  • 生存期操作:包含 KV 证书生命周期的操作。Lifetime Actions: contains lifetime actions for the KV Certificate. 每个生存期操作包含:Each lifetime action contains:

    • 触发器:通过距离到期的天数或生存期范围百分比指定Trigger: specified via days before expiry or lifetime span percentage

    • 操作:指定操作类型 - emailContacts 或 autoRenew Action: specifying action type – emailContacts or autoRenew

  • 颁发者:有关用于颁发 x509 证书的证书颁发者的参数。Issuer: Parameters about the certificate issuer to use to issue x509 certificates.

  • 策略属性:包含与策略关联的属性Policy Attributes: contains attributes associated with the policy

X509 到 Key Vault 使用情况的映射X509 to Key Vault usage mapping

下表表示 x509 密钥使用策略映射到在创建 Key Vault 证书过程中创建的密钥的有效密钥操作。The following table represents the mapping of x509 key usage policy to effective key operations of a key created as part of a Key Vault certificate creation.

X.509 密钥使用情况标记X509 Key Usage flags Key Vault 密钥的操作Key Vault key ops 默认行为Default behavior
DataEnciphermentDataEncipherment 加密、解密encrypt, decrypt 空值N/A
DecipherOnlyDecipherOnly 解密decrypt 空值N/A
DigitalSignatureDigitalSignature 签名、验证sign, verify Key Vault 在创建证书时默认为无使用规范Key Vault default without a usage specification at certificate creation time
EncipherOnlyEncipherOnly encryptencrypt 空值N/A
KeyCertSignKeyCertSign 签名、验证sign, verify 空值N/A
KeyEnciphermentKeyEncipherment 包装密钥、解包密钥wrapKey, unwrapKey Key Vault 在创建证书时默认为无使用规范Key Vault default without a usage specification at certificate creation time
NonRepudiationNonRepudiation 签名、验证sign, verify 空值N/A
crlsigncrlsign 签名、验证sign, verify 空值N/A

证书颁发者Certificate Issuer

Key Vault 证书对象包含与所选证书颁发者提供者进行通信的配置以订购 x509 证书。A Key Vault certificate object holds a configuration used to communicate with a selected certificate issuer provider to order x509 certificates.

  • Key Vault 合作伙伴,具有 TLS/SSL 证书的以下证书颁发者提供者Key Vault partners with following certificate issuer providers for TLS/SSL certificates
提供者名称Provider Name 位置Locations
DigiCertDigiCert 公有云和 Azure 政府中的所有密钥保管库服务位置均支持Supported in all key vault service locations in public cloud and Azure Government
GlobalSignGlobalSign 公有云和 Azure 政府中的所有密钥保管库服务位置均支持Supported in all key vault service locations in public cloud and Azure Government

可以在 Key Vault 中创建的证书颁发者之前,必须成功完成以下必需的步骤 1 和 2。Before a certificate issuer can be created in a Key Vault, following prerequisite steps 1 and 2 must be successfully accomplished.

  1. 加入证书颁发机构 (CA) 提供者Onboard to Certificate Authority (CA) Providers

    • 组织管理员必须将他们的公司(例如,An organization administrator must on-board their company (ex. Contoso)加入到至少一个 CA 提供者。Contoso) with at least one CA provider.
  2. 管理员为 Key Vault 创建请求者证书以注册(和续订)TLS/SSL 证书Admin creates requester credentials for Key Vault to enroll (and renew) TLS/SSL certificates

    • 提供用于在密钥保管库中创建提供程序的颁发者对象的配置Provides the configuration to be used to create an issuer object of the provider in the key vault

有关从证书门户创建颁发者对象的详细信息,请参阅 Key Vault 证书博客For more information on creating Issuer objects from the Certificates portal, see the Key Vault Certificates blog

Key Vault 允许使用其他颁发者提供者的配置创建多个颁发者对象。Key Vault allows for creation of multiple issuer objects with different issuer provider configuration. 在创建颁发者对象以后,即可在一个或多个证书的策略中引用其名称。Once an issuer object is created, its name can be referenced in one or multiple certificate policies. 在创建和续订证书的过程中从 CA 提供者请求 x509 证书时,引用颁发者对象可以指示 Key Vault 按颁发者对象中的规定使用配置。Referencing the issuer object instructs Key Vault to use configuration as specified in the issuer object when requesting the x509 certificate from CA provider during the certificate creation and renewal.

颁发者对象在保管库中创建,并且仅可用于同一个保管库中的 KV 证书。Issuer objects are created in the vault and can only be used with KV certificates in the same vault.

证书联系人Certificate contacts

证书联系人包含联系人信息以发送由证书生存期事件触发的通知。Certificate contacts contain contact information to send notifications triggered by certificate lifetime events. 密钥保管库中的所有证书共享联系人信息。The contacts information is shared by all the certificates in the key vault. 如果保管库中的任何证书发生事件,所有指定联系人都会收到通知。A notification is sent to all the specified contacts for an event for any certificate in the key vault.

如果证书的策略设置为自动续订,则在发生以下事件时发送通知。If a certificate's policy is set to auto renewal, then a notification is sent on the following events.

  • 证书续订之前Before certificate renewal

  • 证书续订之后,指出是否已成功续订证书,或是否存在错误,需要手动续订证书。After certificate renewal, stating if the certificate was successfully renewed, or if there was an error, requiring manual renewal of the certificate.

    如果你将证书策略设置为手动续订(仅限电子邮件),系统会在你需要续订证书时发送通知。When a certificate policy that is set to be manually renewed (email only), a notification is sent when it's time to renew the certificate.

证书访问控制Certificate Access Control

证书的访问控制由 Key Vault 托管,并且由包含这些证书的 Key Vault 提供。Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. 在同一 Key Vault 中,证书的访问控制策略不同于密钥和机密的访问控制策略。The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. 用户可以创建一个或多个保管库来保存证书,以维护方案相应的证书分段和管理。Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.

在密钥保管库上的机密访问控制条目中可以按主体使用以下权限,这些权限对机密对象上允许的操作采取严密的镜像操作:The following permissions can be used, on a per-principal basis, in the secrets access control entry on a key vault, and closely mirrors the operations allowed on a secret object:

  • 针对证书管理操作的权限Permissions for certificate management operations

    • get:获取最新版本的证书或任何版本的证书get: Get the current certificate version, or any version of a certificate
    • list:列出最新版本的证书或任何版本的证书list: List the current certificates, or versions of a certificate
    • update:更新证书update: Update a certificate
    • create:创建 Key Vault 证书create: Create a Key Vault certificate
    • import:将证书材料导入到 Key Vault 证书import: Import certificate material into a Key Vault certificate
    • delete:删除证书、策略及其所有版本delete: Delete a certificate, its policy, and all of its versions
    • recover:恢复已删除的证书recover: Recover a deleted certificate
    • backup:备份密钥保管库中的证书backup: Back up a certificate in a key vault
    • restore:将备份证书还原到密钥保管库restore: Restore a backed-up certificate to a key vault
    • managecontacts:管理 Key Vault 证书联系人managecontacts: Manage Key Vault certificate contacts
    • manageissuers:管理 Key Vault 证书颁发机构/颁发者manageissuers: Manage Key Vault certificate authorities/issuers
    • getissuers:获取证书的颁发机构/颁发者getissuers: Get a certificate's authorities/issuers
    • listissuers:列出证书的颁发机构/颁发者listissuers: List a certificate's authorities/issuers
    • setissuers:创建或更新 Key Vault 证书的颁发机构/颁发者setissuers: Create or update a Key Vault certificate's authorities/issuers
    • deleteissuers:删除 Key Vault 证书的颁发机构/颁发者deleteissuers: Delete a Key Vault certificate's authorities/issuers
  • 针对特权操作的权限Permissions for privileged operations

    • purge:清除(永久删除)已删除的证书purge: Purge (permanently delete) a deleted certificate

有关详细信息,请参阅 Key Vault REST API 中的证书操作参考For more information, see the Certificate operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

后续步骤Next steps