使用Azure KV的中级CA? [英] Intermediate CA using Azure KV?
问题描述
所以Azure KV非常适合密钥/证书/机密,但我需要它像CA(证书颁发机构)一样。我正在寻找的控制流程是:
So Azure KV is great for keys/certs/secrets, but I need it to behave like a CA (certificate authority). The control flow I am looking is:
a。在KV内部使用Gen priv密钥,获取CSR,从外部通过Root公共CA签署CSR,以便它可以作为中间CA。
a. Gen priv key inside KV, get CSR, get CSR signed by Root public CA externally so it can behave as Intermediate CA.
b。使用私钥将中间CA链合并到KV中。现在KV既有密钥又有证书,可以作为中间CA,可以签署服务器证书。
b. Merge Intermediate CA chain into KV with its private key. Now KV has both key and cert which can act as Intermediate CA and can sign server certs.
c。获取存储在KV中的中间CA签署的服务器证书。
c. Get server certs signed by Intermediate CA stored in KV.
如果我可以在Azure HSM中存储私钥,那就更好但不是必需的。
If I can store private key inside Azure HSM, that is better but not a requirement.
我似乎无法证实KV可以充当CA或中级CA.如果目前不支持,我有哪些选择?我需要ICA在Azure云中并使用它来签署我的服务器证书。
I cannot seem to confirm that KV can act as a CA or Intermediate CA. If this is not supported currently, what are my options? I need ICA to be in the Azure cloud and use that to sign my server certs.
思考?
问候。
推荐答案
来自公共CA的Azure Key Vault支持证书注册,如DigiCert和GlobalSign,这些公共CA充当发行人提供商以简化证书创建。 Azure Key Vault代表用户从其中一个发卡机构注册证书
,在此过程中,发卡行需要对请求证书的实体进行身份验证并授权接收所请求的证书,您需要通过一次性设置过程,将其中任何一个配置为密钥保管库中的问题
提供程序。
Azure Key Vault为这两个公共CA提供OV或EV SSL证书。此外,当它接近证书到期时间时,Azure Key Vault会尝试从公共CA续订证书,并在证书续订之前和之后向证书
对象中列出的联系人发送电子邮件。此外,Azure Key Vault SDK还提供用于创建新证书的API和命令。此外,在生成CSR时,您可以选择指定密钥对生成为不可导出并在HSM中生成
。 请参阅证书创建方法, ; 监控
并管理证书创建 和 开始使用Azure Key Vault证书,了解详细信息。
Azure Key Vault support certificate enrollments from public CA's like DigiCert and GlobalSign where these public CA's acts as an issuer providers to simplify certificate creations. Azure Key Vault goes on behalf of the user to enroll for certificates from one of these issuers and in this process Issuer needs to authenticate the entity requesting the certificate and authorize to receive the requested certificates and you need to go through one time setup process to configure either of these as an issue provider in your Key Vault.
Azure Key Vault offers OV or EV SSL certificates with these two public CA's. Also, when it is close to the certificate expiry time the Azure Key Vault attempts to renew the certificate from the public CA and sends emails to the contacts listed in the certificate object before and after the certificate renewal. Also, Azure Key Vault SDK's provide API's and commands for creating new certificates. Also, while generating your CSR, you have the option to specify that the key pair be generated as non-exportable and generated inside an HSM. Please refer to Certificate Creation methods, Monitor and manage certificate creation and Get started with Azure Key Vault certificates for details.
这篇关于使用Azure KV的中级CA?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
