证书创建方法Certificate creation methods

可以在密钥保管库中创建或导入 Key Vault (KV) 证书。A Key Vault (KV) certificate can be either created or imported into a key vault. 创建 KV 证书时,私钥在密钥保管库中创建且不公开给证书所有者。When a KV certificate is created the private key is created inside the key vault and never exposed to certificate owner. 下面是在 Key Vault 中创建证书的方法:The following are ways to create a certificate in Key Vault:

  • 创建自签名证书: 此方法将创建一个公钥-私钥对并将其与证书相关联。Create a self-signed certificate: This will create a public-private key pair and associate it with a certificate. 证书将通过其自身的密钥签名。The certificate will be signed by its own key.

  • 手动创建新证书: 此方法将创建一个公钥-私钥对并生成 X.509 证书签名请求。Create a new certificate manually: This will create a public-private key pair and generate an X.509 certificate signing request. 签名请求可以由注册机构或证书颁发机构进行签名。The signing request can be signed by your registration authority or certification authority. 签名的 x509 证书可以与挂起的密钥对合并,以便完成 Key Vault 中的 KV 证书。The signed x509 certificate can be merged with the pending key pair to complete the KV certificate in Key Vault. 虽然此方法需要更多步骤,但其安全性更高,因为私钥是在 Key Vault 中创建的,其范围局限于 Key Vault。Although this method requires more steps, it does provide you with greater security because the private key is created in and restricted to Key Vault. 下图对此进行了说明。This is explained in the diagram below.

使用自己的证书颁发机构创建证书

以下说明对应于上图中绿色字母代表的步骤。The following descriptions correspond to the green lettered steps in the preceding diagram.

  1. 上图中,通过在密钥保管库中创建密钥,应用程序可从内部开始创建证书。In the diagram above, your application is creating a certificate which internally begins by creating a key in your key vault.
  2. Key Vault 将证书签名请求 (CSR) 返回给应用程序Key Vault returns to your application a Certificate Signing Request (CSR)
  3. 应用程序将 CSR 传递给所选 CA。Your application passes the CSR to your chosen CA.
  4. 所选 CA 以 X509 证书进行响应。Your chosen CA responds with an X509 Certificate.
  5. 应用程序通过合并 CA 中的 X509 证书来完成新证书创建过程。Your application completes the new certificate creation with a merger of the X509 Certificate from your CA.
  • 使用已知的证书颁发者提供程序创建证书: 此方法要求你执行一项一次性任务,即创建一个证书颁发者对象。Create a certificate with a known issuer provider: This method requires you to do a one-time task of creating an issuer object. 在密钥保管库中创建证书颁发者对象以后,即可在 KV 证书的策略中引用其名称。Once an issuer object is created in you key vault, its name can be referenced in the policy of the KV certificate. 请求创建此类 KV 证书时,将在保管库中创建一个密钥对,并使用所引用的证书颁发者对象中的信息与证书颁发者提供者服务通信,以便获取 x509 证书。A request to create such a KV certificate will create a key pair in the vault and communicate with the issuer provider service using the information in the referenced issuer object to get an x509 certificate. 从证书颁发者服务中检索 x509 证书并将其与密钥对合并以完成 KV 证书创建过程。The x509 certificate is retrieved from the issuer service and is merged with the key pair to complete the KV certificate creation.

通过与 Key Vault 配合使用的证书颁发机构创建证书

以下说明对应于上图中绿色字母代表的步骤。The following descriptions correspond to the green lettered steps in the preceding diagram.

  1. 上图中,通过在密钥保管库中创建密钥,应用程序可从内部开始创建证书。In the diagram above, your application is creating a certificate which internally begins by creating a key in your key vault.
  2. Key Vault 向 CA 发送 TLS/SSL 证书请求。Key Vault sends an TLS/SSL Certificate Request to the CA.
  3. 应用程序会在循环和等待过程中轮询 Key Vault 至证书完成。Your application polls, in a loop and wait process, for your Key Vault for certificate completion. 当 Key Vault 通过 x509 证书收到 CA 的响应时,证书创建完成。The certificate creation is complete when Key Vault receives the CA’s response with x509 certificate.
  4. CA 通过 TLS/SSL X.509 证书对 Key Vault 的 TLS/SSL 证书请求进行响应。The CA responds to Key Vault's TLS/SSL Certificate Request with an TLS/SSL X.509 certificate.
  5. 与 CA 的 TLS/SSL X.509 证书合并以后,新证书的创建过程即告完成。Your new certificate creation completes with the merger of the TLS/SSL X.509 certificate for the CA.

异步过程Asynchronous process

KV 证书创建是一个异步过程。KV certificate creation is an asynchronous process. 此操作会创建 KV 证书请求并返回一个 http 状态代码“202 (已接受)”。This operation will create a KV certificate request and return an http status code of 202 (Accepted). 可以通过轮询此操作创建的挂起对象来跟踪请求的状态。The status of the request can be tracked by polling the pending object created by this operation. 挂起对象的完整 URI 返回在 LOCATION 标头中。The full URI of the pending object is returned in the LOCATION header.

当创建 KV 证书的请求完成后,挂起对象的状态会从“正在进行”变为“已完成”,并将创建新版 KV 证书。When a request to create a KV certificate completes, the status of the pending object will change to “completed” from “inprogress”, and a new version of the KV certificate will be created. 该版本将成为当前版本。This will become the current version.

第一次创建First creation

第一次创建 KV 证书时,也会创建可寻址密钥和机密,所用名称与证书的名称相同。When a KV certificate is created for the first time, an addressable key and secret is also created with the same name as that of the certificate. 如果该名称已被使用,则操作会失败,并返回一个 http 状态代码“409 (冲突)”。If the name is already in use, then the operation will fail with an http status code of 409 (conflict). 可寻址密钥和机密从 KV 证书属性获取其属性。The addressable key and secret get their attributes from the KV certificate attributes. 以这种方式创建的可寻址密钥和机密将会标记为托管密钥和机密,其生存期由 Key Vault 管理。The addressable key and secret created this way are marked as managed keys and secrets, whose lifetime is managed by Key Vault. 托管密钥和机密为只读。Managed keys and secrets are read-only. 注意:如果 KV 证书已过期或已禁用,则相应的密钥和机密将变得不可操作。Note: If a KV certificate expires or is disabled, the corresponding key and secret will become inoperable.

如果这是创建 KV 证书的首次操作,则需使用策略。If this is the first operation to create a KV certificate then a policy is required. 也可为策略提供连续的创建操作,以便替换策略资源。A policy can also be supplied with successive create operations to replace the policy resource. 如果未提供策略,则会使用服务的策略资源来创建下一版本的 KV 证书。If a policy is not supplied, then the policy resource on the service is used to create a next version of KV certificate. 请注意,当创建下一版本的请求正在进行时,当前 KV 证书以及相应的可寻址密钥和机密保持不变。Note that while a request to create a next version is in progress, the current KV certificate, and corresponding addressable key and secret, remain unchanged.

自颁证书Self-issued certificate

若要创建自颁证书,请在证书策略中将证书颁发者名称设置为“Self”,如证书策略中的以下代码片段所示。To create a self-issued certificate, set the issuer name as "Self" in the certificate policy as shown in following snippet from certificate policy.

"issuer": {  
       "name": "Self"  
    }  

如果未指定证书颁发者名称,系统会将证书颁发者名称设置为“Unknown”。If the issuer name is not specified, then the issuer name is set to "Unknown". 当证书颁发者为“Unknown”时,证书所有者必须从其选择的证书颁发者中手动获取 x509 证书,然后将公用 x509 证书与密钥保管库证书挂起对象合并,这样才能完成证书创建过程。When issuer is "Unknown", the certificate owner will have to manually get a x509 certificate from the issuer of his/her choice, then merge the public x509 certificate with the key vault certificate pending object to complete the certificate creation.

"issuer": {  
       "name": "Unknown"  
    }  

配合使用的 CA 提供程序Partnered CA Providers

可手动完成或使用“Self”证书颁发者来完成证书创建过程。Certificate creation can be completed manually or using a “Self” issuer. Key Vault 也可以与某些证书颁发者提供者配合使用,从而简化证书创建过程。Key Vault also partners with certain issuer providers to simplify the creation of certificates. 可为具有这些合作伙伴证书颁发者提供者的密钥保管库订购以下类型的证书。The following types of certificates can be ordered for key vault with these partner issuer providers.

提供程序Provider 证书类型Certificate type 配置设置Configuration setup
DigiCertDigiCert Key Vault 提供 DigiCert 的 OV 或 EV SSL 证书Key Vault offers OV or EV SSL certificates with DigiCert 集成指南Integration Guide
GlobalSignGlobalSign Key Vault 提供 GlobalSign 的 OV 或 EV SSL 证书Key Vault offers OV or EV SSL certificates with GlobalSign 集成指南Integration Guide

证书颁发者是 Azure Key Vault (KV) 中表示为 CertificateIssuer 资源的实体。A certificate issuer is an entity represented in Azure Key Vault (KV) as a CertificateIssuer resource. 它用于提供有关 KV 证书来源的信息,例如颁发者名称、提供者、凭据和其他管理详细信息。It is used to provide information about the source of a KV certificate; issuer name, provider, credentials, and other administrative details.

请注意,向证书颁发者提供者下单时,该提供者可能会接受 x509 证书扩展和证书有效期,也可能会将其替代,具体取决于证书类型。Note that when an order is placed with the issuer provider, it may honor or override the x509 certificate extensions and certificate validity period based on the type of certificate.

Authorization:需要证书/创建权限。Authorization: Requires the certificates/create permission.

另请参阅See Also