Scenario:
Digital certificates signed by an internal Certification Authority (CA) or by external Certification Authority (CA) are being managed by different teams in an
organisation. It is the responsibility of the Certificate Issuing team to ensure that the Application teams using the certificate are made aware of
an upcoming certificate expiry. However the fact is that certificates are rarely caught before they expire leading to unexpected downtime and outages
OR all teams are in a manic rush to renew the certificate and apply/test the new certificate with just days to spare prior to the expiry.
Solution:
Rather than being reactive one can be proactive about this task by using Azure Key Vault. No matter which team issues the certificates,
the central IT Platforms team can a upload all digital certificates issued by both internal CA or external CA into Key Vault along with
tags to help them identify which team issued the certificate, which teams are using the certificate etc. Then they can run a single PowerShell command
to get the list of certificates that are about to expire and can initiate the certificate renewal process to be actioned by relevant teams.
The commands below show how one can enrol or import any certificate in a key vault in Azure Key Vault. Then you can easily find the list of certificates that are due expire before a pre-set date. And take steps to inform the users that the certificate will be renewed and that they will need to make changes to use those new certificates and schedule in some smoke tests post certificate renewal.
Import an Existing Digital Certificate to Azure Key Vault
For a certificate import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX. Although there are PEM files with only the public portion, Key Vault requires and accepts only a PEM or PFX file with a private key.
I have assumed that you already created an Azure Key Vault called "kvMyCertificateStore" in your subscription; and that you have logged into PowerShell
and are able to view resources in your subscription. See Notes below links to the PowerShell version I am using and links to the Azure cmdlets documentation.
All set, lets get going.....
The code snippet below shows you how to import one PFX file called myCertificate.pfx from your local machine and import it into the vault.
I have set a friendly name for this certificate so that it is easy to recognise from the Azure Portal or when accessed later.
I have also set some tags so that I know who to reach out to later when the certificate is due for renewal - This is an optional property.
$certificateFilePath = "D:\myCertificate.pfx"
$certificatePassword = ConvertTo-SecureString -String "YourCertificateP@ssw0rdGoesHere" -AsPlainText -Force
$certificateFriendlyName = "mySelfSignedCertificateDecember2020"
$certificateTag = @{Application_Owner_EmailAddress = "blah@blah.com"; Application_Name = "myApplicationBlah"; Business_Unit = "Department 1"}
$certificateKeyVault = "kvMyCertificateStore"
Import-AzKeyVaultCertificate -VaultName $certificateKeyVault -Name $certificateFriendlyName -FilePath $certificateFilePath -Password $certificatePassword -Tag $certificateTag
Retrieve list of ALL Digital Certificates in the Key Vault
The command below will get you the list of all certificates in a specific key vault.
$myCertificates = Get-AzKeyVaultCertificate -VaultName $certificateKeyVault
Retrieve list of Digital Certificates from the Key Vault that are due to expire in pre-set number of days
The commands retrieve the list of enabled certificates in the Azure Key Vault where the expiry date is less than or equal to 90 days.
I have formatted the output in table format and made use of the tags we had added when we imported/added the certificate to the vault.
$certificateExpirationDaysReminder = 90
@($myCertificates).Where({($_.Enabled -eq 'True') -and (({NEW-TIMESPAN –Start {Get-Date} -End $_.expires}).Days -le $certificateExpirationDaysReminder)}) | Format-Table -Property Name, Expires, VaultName, Tags
Note: