Key Vault 证书入门Get started with Key Vault certificates

以下方案概述了 Key Vault 的证书管理服务的多种主要使用方式,包括在密钥保管库中创建第一个证书所需的其他步骤。The following scenarios outline several of the primary usages of Key Vault’s certificate management service including the additional steps required for creating your first certificate in your key vault.

下面是概述的内容:The following are outlined:

  • 创建第一个 Key Vault 证书Creating your first Key Vault certificate
  • 使用与 Key Vault 配合使用的证书颁发机构创建证书Creating a certificate with a Certificate Authority that is partnered with Key Vault
  • 使用不与 Key Vault 配合使用的证书颁发机构创建证书Creating a certificate with a Certificate Authority that is not partnered with Key Vault
  • 导入证书Import a certificate

证书是复杂的对象Certificates are complex objects

证书由三个相互关联的资源组成,以 Key Vault 证书、证书元数据、密钥和机密的形式链接到一起。Certificates are composed of three interrelated resources linked together as a Key Vault certificate; certificate metadata, a key, and a secret.

证书是复杂的

创建第一个 Key Vault 证书Creating your first Key Vault certificate

在 Key Vault (KV) 中创建证书之前,必须成功完成先决条件步骤 1 和步骤 2,并且必须存在适用于该用户/组织的密钥保管库。Before a certificate can be created in a Key Vault (KV), prerequisite steps 1 and 2 must be successfully accomplished and a key vault must exist for this user / organization.

步骤 1 - 证书颁发机构 (CA) 提供者Step 1 - Certificate Authority (CA) Providers

  • 对于任何给定公司(例如 Contoso)来说,以 IT 管理员、PKI 管理员或任何可以使用 CA 来管理帐户的人员的身份加入On-boarding as the IT Admin, PKI Admin or anyone managing accounts with CAs, for a given company (ex. 是使用 Key Vault 证书的先决条件。Contoso) is a prerequisite to using Key Vault certificates.
    以下 CA 是目前可以与 Key Vault 配合使用的提供者:The following CAs are the current partnered providers with Key Vault:
    • DigiCert - Key Vault 提供 DigiCert 的 OV TLS/SSL 证书。DigiCert - Key Vault offers OV TLS/SSL certificates with DigiCert.
    • GlobalSign - Key Vault 提供 GlobalSign 的 OV TLS/SSL 证书。GlobalSign - Key Vault offers OV TLS/SSL certificates with GlobalSign.

步骤 2 - CA 提供商的帐户管理员创建可供 Key Vault 使用的凭据,以便通过 Key Vault 注册、续订和使用 TLS/SSL 证书。Step 2 - An account admin for a CA provider creates credentials to be used by Key Vault to enroll, renew, and use TLS/SSL certificates via Key Vault.

步骤 3 - Contoso 管理员以及拥有证书(取决于 CA)的 Contoso 员工(Key Vault 用户)可以从管理员处获取证书,也可以直接从 CA 的帐户获取。Step 3 - A Contoso admin, along with a Contoso employee (Key Vault user) who owns certificates, depending on the CA, can get a certificate from the admin or directly from the account with the CA.

  • 开始通过设置证书颁发者资源,对密钥保管库执行添加凭据操作。Begin an add credential operation to a key vault by setting a certificate issuer resource. 证书颁发者是 Azure Key Vault (KV) 中表示为 CertificateIssuer 资源的实体。A certificate issuer is an entity represented in Azure Key Vault (KV) as a CertificateIssuer resource. 它用于提供有关 KV 证书来源的信息,例如颁发者名称、提供者、凭据和其他管理详细信息。It is used to provide information about the source of a KV certificate; issuer name, provider, credentials, and other administrative details.
    • 例如:Ex. MyDigiCertIssuerMyDigiCertIssuer

      • 提供程序Provider
      • 凭据 - CA 帐户凭据。Credentials – CA account credentials. 每个 CA 都有其自身的特定数据。Each CA has its own specific data.

      若要详细了解如何通过 CA 提供者来创建帐户,请参阅 Key Vault 博客上的相关文章。For more information on creating accounts with CA Providers, see the related post on the Key Vault blog.

步骤 3.1 - 设置用于接收通知的证书联系人Step 3.1 - Set up certificate contacts for notifications. 这是 Key Vault 用户的联系人。This is the contact for the Key Vault user. Key Vault 不强制执行此步骤。Key Vault does not enforce this step.

注意 - 上述过程(一直到步骤 3.1)是一次性操作。Note - This process, through step 3.1, is a onetime operation.

使用与 Key Vault 配合使用的 CA 创建证书Creating a certificate with a CA partnered with Key Vault

通过与 Key Vault 配合使用的证书颁发机构创建证书

步骤 4 - 以下说明对应于上图中绿色数字代表的步骤。Step 4 - The following descriptions correspond to the green numbered steps in the preceding diagram.
(1) - 在上图中,应用程序在创建证书时,是在内部以在密钥保管库中创建密钥开始的。(1) - In the diagram above, your application is creating a certificate which internally begins by creating a key in your key vault.
(2) - Key Vault 向 CA 发送 TLS/SSL 证书请求。(2) - Key Vault sends an TLS/SSL Certificate Request to the CA.
(3) - 应用程序会在循环和等待过程中轮询 Key Vault 至证书完成。(3) - Your application polls, in a loop and wait process, for your Key Vault for certificate completion. 当 Key Vault 通过 x509 证书收到 CA 的响应时,证书创建完成。The certificate creation is complete when Key Vault receives the CA’s response with x509 certificate.
(4) - CA 通过 X509 TLS/SSL 证书对 Key Vault 的 TLS/SSL 证书请求进行响应。(4) - The CA responds to Key Vault's TLS/SSL Certificate Request with an X509 TLS/SSL Certificate.
(5) - 与 CA 的 X509 证书合并以后,新证书的创建过程即告完成。(5) - Your new certificate creation completes with the merger of the X509 Certificate for the CA.

Key Vault 用户 - 通过指定策略来创建证书Key Vault user – creates a certificate by specifying a policy

  • 根据需要进行重复Repeat as needed

  • 策略约束Policy constraints

    • X509 属性X509 properties
    • 密钥属性Key properties
    • 提供者引用 - > 例如Provider reference - > ex. MyDigiCertIssureMyDigiCertIssure
    • 续订信息 - > 例如Renewal information - > ex. 在到期之前 90 天90 days before expiry
  • 证书创建过程通常为异步过程,涉及轮询密钥保管库中“创建证书”操作的状态。A certificate creation process is usually an asynchronous process and involves polling your key vault for the state of the create certificate operation.
    获取证书操作Get certificate operation

    • 状态:“已完成”、“失败并显示错误消息”或“已取消”Status: completed, failed with error information or, canceled
    • 由于创建操作延迟,因此可能会启动取消操作。Because of the delay to create, a cancel operation can be initiated. 取消操作可能生效,也可能不生效。The cancel may or may not be effective.

导入证书Import a certificate

也可将证书导入 Key Vault - PFX 或 PEM。Alternatively – a cert can be imported into Key Vault – PFX or PEM.

导入证书 - 需要 PEM 或 PFX 存在于磁盘上,并且要有私钥。Import certificate – requires a PEM or PFX to be on disk and have a private key.

  • 必须指定:保管库名称和证书名称(策略为可选)You must specify: vault name and certificate name (policy is optional)

  • PEM/PFX 文件包含的属性可供 KV 分析和用来填充证书策略。PEM / PFX files contains attributes that KV can parse and use to populate the certificate policy. 如果已指定证书策略,KV 会尝试匹配 PFX/PEM 文件中的数据。If a certificate policy is already specified, KV will try to match data from PFX / PEM file.

  • 导入确定以后,后续操作会使用新策略(新版本)。Once the import is final, subsequent operations will use the new policy (new versions).

  • 如果没有进一步的操作,Key Vault 首先要做的是发送过期通知。If there are no further operations, the first thing the Key Vault does is send an expiration notice.

  • 另外,用户可以编辑策略。策略在导入时生效,但其包含的默认设置在导入时并未指定任何信息。Also, the user can edit the policy, which is functional at the time of import but, contains defaults where no information was specified at import. 例如:Ex. 无颁发者信息no issuer info

我们支持的导入格式Formats of Import we support

Azure Key Vault 支持 .pem 和 .pfx 证书文件(用于将证书导入到 Key Vault 中)。Azure Key Vault supports .pem and .pfx certificate files for importing Certificates into Key vault. 对于 PEM 文件格式,我们支持以下导入类型。We support the following type of Import for PEM file format. 单个 PEM 编码的证书,以及一个包含以下内容的 PKCS#8 编码和解密的密钥A single PEM encoded certificate along with a PKCS#8 encoded, unencrypted key which has the following

-----BEGIN CERTIFICATE----- -----END CERTIFICATE----------BEGIN CERTIFICATE----- -----END CERTIFICATE-----

-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----------BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----

导入证书时,需要确保该密钥包含在文件本身中。When you are importing the certificate, you need to ensure that the key is included in the file itself. 如果让私钥单独采用另一格式,则需将私钥与证书组合在一起。If you have the private key separately in a different format, you would need to combine the key with the certificate. 某些证书颁发机构提供不同格式的证书,因此在导入证书之前,请确保证书采用 .pem 或 .pfx 格式。Some certificate authorities provide certificates in differnt formats, therefore before importing the certificate, make sure that they are either in .pem or .pfx format.

我们支持的合并 CSR 的格式Formats of Merge CSR we support

AKV 支持 2 种基于 PEM 的格式。AKV supports 2 PEM based formats. 可以合并单个 PKCS#8 编码的证书或 base64 编码的 P7B(由 CA 签名的证书链)You can either merge a single PKCS#8 encoded certificate or a base64 encoded P7B (chain of certificates signed by CA)

-----BEGIN CERTIFICATE----- -----END CERTIFICATE----------BEGIN CERTIFICATE----- -----END CERTIFICATE-----

我们目前不支持 PEM 格式的 EC 密钥。We currently don't support EC keys in PEM format.

使用不与 Key Vault 配合使用的 CA 创建证书Creating a certificate with a CA not partnered with Key Vault

此方法允许使用除 Key Vault 的合作提供者之外的其他 CA,也就是说,组织可以使用自选的 CA。This method allows working with other CAs than Key Vault's partnered providers, meaning your organization can work with a CA of its choice.

使用自己的证书颁发机构创建证书

以下步骤说明对应于上图中绿色字母代表的步骤。The following step descriptions correspond to the green lettered steps in the preceding diagram.

(1) - 在上图中,应用程序在创建证书时,是在内部以在密钥保管库中创建密钥开始的。(1) - In the diagram above, your application is creating a certificate, which internally begins by creating a key in your key vault.

(2) - Key Vault 将证书签名请求 (CSR) 返回给应用程序。(2) - Key Vault returns to your application a Certificate Signing Request (CSR).

(3) - 应用程序将 CSR 传递给所选 CA。(3) - Your application passes the CSR to your chosen CA.

(4) - 所选 CA 以 X509 证书进行响应。(4) - Your chosen CA responds with an X509 Certificate.

(5) - 应用程序在合并 CA 提供的 X509 证书后,就完成了新证书创建过程。(5) - Your application completes the new certificate creation with a merger of the X509 Certificate from your CA.