Creating an Azure Key Vault application object

To store certificates, an Azure Key Vault application object must be created in Trust Protection Platform. Then, in Azure, the Service Principal must be granted the required permissions to manage certificates.

You can also configure Trust Protection Platform to bind your certificates to web applications automatically during provisioning so that you don't have to create the binding using other methods.

TIP If you plan to bind certificates to a web application, make sure that you've set up your web application already before you complete the following procedure.

To create an Azure Key Vault application

In Policy Tree, click the Azure policy that you created earlier.
Find the Azure device that you created under the Azure policy.
Highlight the device and then right-click it.
Choose Add > Application > Azure Key Vault.
Under Certificate, for Associated Certificate, click to find the certificate that you want to associate with the Azure Key Vault application.
NOTE You can enable only one associated application per remote key generation. To see the differences between the two methods of private key generation, see Supported methods of key generation

To enable remote key generation:
1. Click the certificate name to open the certificate.
2. In the certificate's Settings tab, under CSR Handling, set Generate Key/CSR on Application to Yes.
In Application Information, do the following:
1. In the Application ID field, type the application ID of the Azure Service Principal.
2. Click Certificate Credential to select the required credential.
In Installation Settings, do the following:
1. In Azure Key Vault Name, type the name of your key vault.
2. In the Certificate Name field, type the name of the certificate that is going to be used for tracking the certificate in the Azure Key Vault.
  NOTE The Certificate Name is automatically generated from Certificate Common Name (or DNS SANs if you don't specify a name).
  If you do specify a name, dots are changed to hyphens.
  Example: dsmith.denver.sales is converted to dsmith-denver-sales. Also, special characters are not allowed in the name and are removed.
  TIP When you provision a new certificate to Azure Key Vault using a certificate name that is already in use, Azure automatically updates any existing bindings to that certificate name. However, they won't likely be activated as quickly as the bindings that are configured to be updated using the driver.
3. (Conditional) If you want Trust Protection Platform to extract certificates and private keys from Azure Key Vault, set Private Key Exportable to Yes.
(Conditional) If you want to bind certificates to web applications, then in the SSL Settings box, do the following:
1. Set Bind Certificate to Web Application to Yes.
2. In the Web Application Name field, type the name of the web application to which you want to bind certificates.
3. (Optional) A subscription ID is only required if the web application to be bound is in a different subscription than the specified key vault. Enter the subscription ID of the web application.
4. If a binding doesn’t exist already, set Create New Binding to Yes.
5. Set Create/Update binding for each DNS SAN to No if you only want to create/update a specific FQDN.
  
  If you select No here, you'll enter a single hostname in the Specify Binding Hostename(s) field (described below). Select Yes if you want Trust Protection Platform to automatically create/update one binding for every DNS SAN in the certificate.
6. Click the SSL Type field and select whether to use SNI or IP Based.
7. In Specify Binding Hostname(s) , type one or more hostnames.
When you're done, click Save.