续订 Azure Key Vault 证书Renew your Azure Key Vault certificates

通过 Azure Key Vault,可轻松地为网络预配、管理和部署数字证书,并支持应用程序的安全通信。With Azure Key Vault, you can easily provision, manage, and deploy digital certificates for your network and enable secure communications for your applications. 若要了解证书的详细信息,请参阅关于 Azure Key Vault 证书For more information about certificates, see About Azure Key Vault certificates.

通过使用生存期较短的证书或增加证书轮换的频率,可以帮助防止未经授权的用户访问应用程序。By using short-lived certificates or by increasing the frequency of certificate rotation, you can help prevent access to your applications by unauthorized users.

本文介绍如何续订 Azure Key Vault 证书。This article discusses how to renew your Azure Key Vault certificates.

获取有关证书过期的通知Get notified about certificate expiration

若要获取有关证书生存期事件的通知,需要添加证书联系人。To get notified about certificate life events, you would need to add certificate contact. 证书联系人包含联系人信息以发送由证书生存期事件触发的通知。Certificate contacts contain contact information to send notifications triggered by certificate lifetime events. 密钥保管库中的所有证书共享联系人信息。The contacts information is shared by all the certificates in the key vault. 如果保管库中的任何证书发生事件,所有指定联系人都会收到通知。A notification is sent to all the specified contacts for an event for any certificate in the key vault.

证书通知的设置步骤:Steps to set certificate notifications:

首先,将证书联系人添加到密钥保管库中。First, add a certificate contact to your key vault. 可使用 Azure 门户或 PowerShell cmdlet Add-AzureKeyVaultCertificateContact 进行添加。You can add using Azure portal or PowerShell cmdlet Add-AzureKeyVaultCertificateContact.

其次,配置希望收到证书过期通知的时间。Second, configure when you want to be notified about the certificate expiration. 若要配置证书的生命周期属性,请参阅在 Key Vault 中配置证书自动轮换To configure the lifecycle attributes of the certificate, see Configure certificate autorotation in Key Vault.

如果证书的策略设置为自动续订,则在发生以下事件时发送通知。If a certificate's policy is set to auto renewal, then a notification is sent on the following events.

  • 证书续订之前Before certificate renewal

  • 证书续订之后,指出是否已成功续订证书,或是否存在错误,需要手动续订证书。After certificate renewal, stating if the certificate was successfully renewed, or if there was an error, requiring manual renewal of the certificate.

    如果你将证书策略设置为手动续订(仅限电子邮件),系统会在你需要续订证书时发送通知。When a certificate policy that is set to be manually renewed (email only), a notification is sent when it's time to renew the certificate.

在 Key Vault 中,有三种类别的证书:In Key Vault, there are three categories of certificates:

  • 通过集成证书颁发机构 (CA)(如 DigiCert 或 GlobalSign)创建的证书Certificates that are created with an integrated certificate authority (CA), such as DigiCert or GlobalSign
  • 通过非集成 CA 创建的证书Certificates that are created with a nonintegrated CA
  • 自签名证书Self-signed certificates

续订集成 CA 证书Renew an integrated CA certificate

Azure Key Vault 处理由受信任的 Microsoft 证书颁发机构 DigiCert 和 GlobalSign 颁发的证书的端到端维护。Azure Key Vault handles the end-to-end maintenance of certificates that are issued by trusted Microsoft certificate authorities DigiCert and GlobalSign. 了解如何将受信任的 CA 与 Key Vault 集成Learn how to integrate a trusted CA with Key Vault.

续订非集成 CA 证书Renew a nonintegrated CA certificate

通过使用 Azure Key Vault,可导入来自任何 CA 的证书,这一优点使你能够与多个 Azure 资源集成并简化部署。By using Azure Key Vault, you can import certificates from any CA, a benefit that lets you integrate with several Azure resources and make deployment easy. 如果你担心无法跟踪证书的到期日期,或者更糟的是,你发现某个证书已过期,那么你的密钥保管库可帮助你保持最新状态。If you're worried about losing track of your certificate expiration dates or, worse, you've discovered that a certificate has already expired, your key vault can help keep you up to date. 对于非集成 CA 证书,密钥保管库允许你设置即将过期的电子邮件通知。For nonintegrated CA certificates, the key vault lets you set up near-expiration email notifications. 此类通知也可为多个用户设置。Such notifications can be set for multiple users as well.

重要

证书是受版本控制的对象。A certificate is a versioned object. 如果当前版本即将过期,则需要创建新版本。If the current version is expiring, you need to create a new version. 从概念上讲,每个新版本都是一个新证书,它由一个密钥和将该密钥与标识联系起来的 Blob 组成。Conceptually, each new version is a new certificate that's composed of a key and a blob that ties that key to an identity. 使用非合作伙伴 CA 时,密钥保管库将生成一个键/值对,并返回证书签名请求 (CSR)。When you use a nonpartnered CA, the key vault generates a key/value pair and returns a certificate signing request (CSR).

若要续订非集成 CA 证书,请执行以下操作:To renew a nonintegrated CA certificate, do the following:

  1. 登录到 Azure 门户,然后打开要续订的证书。Sign in to the Azure portal, and then open the certificate you want to renew.
  2. 在证书窗格中,选择“新版本”。On the certificate pane, select New Version.
  3. 选择“证书操作”。Select Certificate Operation.
  4. 选择“下载 CSR”,将 CSR 文件下载到本地驱动器。Select Download CSR to download a CSR file to your local drive.
  5. 将 CSR 发送到所选的 CA 以对请求进行签名。Send the CSR to your choice of CA to sign the request.
  6. 返回已签名的请求,并在相同证书操作窗格中选择“合并 CSR”。Bring back the signed request, and select Merge CSR on the same certificate operation pane.

备注

将已签名的 CSR 与你创建的相同 CSR 请求合并,这点很重要。It's important to merge the signed CSR with the same CSR request that you created. 否则,密钥将不匹配。Otherwise, the key won't match.

有关创建新 CSR 的详细信息,请参阅在 Key Vault 中创建和合并 CSRFor more information about creating a new CSR, see Create and merge a CSR in Key Vault.

续订自签名证书Renew a self-signed certificate

Azure Key Vault 还处理自签名证书的自动续订。Azure Key Vault also handles autorenewal of self-signed certificates. 若要详细了解如何更改颁发策略和更新证书的生命周期属性,请参阅在 Key Vault 中配置证书自动轮换To learn more about changing the issuance policy and updating a certificate's lifecycle attributes, see Configure certificate autorotation in Key Vault.

疑难解答Troubleshoot

如果颁发的证书在 Azure 门户中处于“已禁用”状态,转到“证书操作”查看该证书的错误消息。If the issued certificate is in disabled status in the Azure portal, go to Certificate Operation to view the certificate's error message.

常见问题Frequently asked questions

如何测试证书的自动轮换功能?How can I test the autorotation feature of the certificate?

创建一个有效期为 1 个月的证书,然后将其轮换的生存期操作设置为 1% 。Create a certificate with a validity of 1 month, and then set the lifetime action for rotation at 1%. 此设置将每 7.2 小时轮换一次证书。This setting will rotate the certificate every 7.2 hours.

在自动续订证书后是否复制标记?Will the tags be replicated after autorenewal of the certificate?

是的,在自动续订后复制标记。Yes, the tags are replicated after autorenewal.

后续步骤Next steps