Skip to main content

Get and use public certificate in Azure subscriptions

TBD

Prerequisites

We ill need the following prerequisites in order to deliver a certificate natively recognized by Azure

  • Public DNS name
  • Certificate delivery

Public DNS name

The following scenarios were considered:

  • Sub-domain of thalesdigital.io DNS zone
  • DNS custom domain provided by Azure

Sub-domain of thalesdigital.io DNS zone

Possible to use a Child domain of thalesdigital.io. Issues found at the domain verification stage :

  • We must create a TXT record at the root DNS domain, so at thalesdigital.io. Unfortunately, we can only create 20 records for a single DNS record (https://docs.microsoft.com/en-us/azure/dns/dns-zones-records#limits)
  • Operation can only be performed by the TDF Network team that are responsible of the thalesdigital.io through a service request to support.

DNS custom domain provided by Azure

Possible to use App Services Domain services to buy a public DNS name (provided by GoDaddy) Annual cost of 12€ / domain Will perform public DNS registration with GoDaddy and create the linked Azure Public DNS zone in a single operation Allow to manage DNS domain through a dedicated Azure interface and manage renewal (manual/automatic) and perform additional operations (move between subscriptions, ...) Possible to configure DNS domain Auto-registration

Warning : Azure App Domain services only deliver Public DNS domains for the following top level domains : com, net, co.uk, org, NL, in, biz, org.uk, and co.in

Certificate delivery

Certificates can be delivered using the following solutions :

  • Azure App Services Certificates
  • Let's Encrypt

Azure App Services Certificates

As long as we have a public DNS name resolution operational, we can rely on Azure App Services Certificate to deliver public certificates (delivered from GoDaddy). App Services Certificates will rely on Azure Key Vault to generate the public/private key pair and store the delivered certificates. This scenario was tested on an Azure C3 Azure Hardened Subscription successfully. The only requirement is to configure Key Vault with only public endpoint (Selected network option, no need to configure linked virtual networks). App Services Certificates is recognized as part of the [Microsoft Azure services] (https://docs.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services).

Using App Services Certificates have multiple benefits:

  • GoDaddy Certificate Authority is already recognized
  • Provide both Standard & Wildcard certificates (may not provide Extended validation type certificates)
  • Provide automatic certificate renewal 31 days before expiration
  • Allow to export certificate from Key Vault (Null PFX password)
  • Possible to rely on Azure policy to detect certificate near expiration date (standard policy)
  • Possible to regenerate new pair of keys

Azure App services certificate verification process rely on a DNS record that must be created in the public DNS zone. This record must be created in the Root DNS zone. TDF BL consumers will be autonomous to perform this operation if they use their own Azure Public DNS zone, not the case for the thalesdigital.io public DNS zone that is managed by the TDF IT team. - Unfortunately, we can only create 20 records for a single DNS record (https://docs.microsoft.com/en-us/azure/dns/dns-zones-records#limits). This is a major limitation for a self-service.

Warning :App Service Certificates purchased from Azure are issued by GoDaddy. For some domains, you must explicitly allow GoDaddy as a certificate issuer by creating a CAA domain record with the value: 0 issue godaddy.com Source.

Let's Encrypt

TBD

Scenarios

Note : List of Azure services considered as trusted services include the following Azure services

  • Azure Application Gateway
  • Azure FrontDoor
  • Azure App Services
  • Azure DataBricks
  • Azure API Management
  • ...
  • More

App Service

App Services car rely on Certificated delivered by App Services Certificates. First, we must configure the Custom domain (rely on an Azure public DNS zone). Once App Service recognize the DNS custom domain we can import certificate from the Key Vault and configure the binding (SNI/IP).

Warning : Not automatic binding change on certificate expiration

Application Gateway

Azure Application Gateway is able to retrieve it's certificate from an Azure Key Vault and support automatic renewal of certificates. By default, Application Gateway poll the Key Vault every 4 hours to retrieve a new version of the certificate is exists. As of March 15, 2021, Key Vault recognizes Application Gateway as a trusted service, so you can build a secure network boundary in Azure. You can deny access to traffic from all networks (including internet traffic) to Key Vault but still make Key Vault accessible for an Application Gateway resource under your subscription source.

As of March 15, 2021, Key Vault recognizes Application Gateway as a trusted service, so you can build a secure network boundary in Azure. You can deny access to traffic from all networks (including internet traffic) to Key Vault but still make Key Vault accessible for an Application Gateway resource under your subscription.Source. Azure Application Gateway can rely on certificates that are stored in a Key Vault that is not publicly available.

Using Azure Application Gateway is challenging for the following reasons :

  • Azure App Certificate service deliver a certificate in the Key Vault but not as certificate but a secret. It's not a problem with App Service, but it's a problem with Azure Application Gateway that expect a certificate. Automatic certificate provisioning / renew is not possible.
  • At current time we cannot deploy an Azure Application Gateway that rely on a certificate located in a Key Vault in a C3 Azure Hardened subscription. Provisioning complete in failed state.
  • Managing secrets / certificate in the Key Vault located on a C3 Azure Hardened subscription require service endpoint for keyVault enabled at Subnet level and Key Vault configured to use this Key Vault

Technical documentation on this scenario is available here : Configure TLS termination with Key Vault certificates using Azure PowerShell.

API Management

TBD

Semble être supporté : https://azure.microsoft.com/en-us/updates/support-for-azure-api-management-certificates-in-azure-key-vault-has-reached-general-availability/

Note : Certificates updated in the key vault are automatically rotated in API Management. After update in the key vault, a certificate in API Management is updated within 4 hours. You can also manually refresh the certificate using the Azure portal or via the management REST API. source

Repose sur Allow Trusted Microsoft Services to bypass this firewall au niveau Key Vault Implique de la configuration au niveau virtual network source

Pour l'usage du KeyVault, reste à déterminer si c'est un secret ou un certifiat : https://docs.microsoft.com/en-us/rest/api/apimanagement/2020-12-01/gateway-hostname-configuration/create-or-update

Questions

How to detect expiration?

Key Vault level

As long as certificates are stores in Key Vault, we have the start and end validation date and rely on some Azure Policies related to certificates. For example we have:

  • Key Vault Keys should have an expiration date
  • Keys should have more than the specified number of days before expiration
  • Certificates should not expire within the specified number of days

Azure App Domain Services domain renewal

By default Azure App Domain Services can be configured for automatic domain renewal. Manual domain renewal can only be performed up to 90 days ahead of domain expiration and up to 18 days after domain expiration. A mail is sent to the domain owner 90 days before expiration source

Azure App Services Certificates renewal

Azure App Service Certificate include an Automatic certificate renew every year. The renew operation is performed 31 days before expiration. Manual certificate renew can be requested up to 60 days before expiration date. At App Service level, a sync operation is performed every 24 hours.

Important information : Starting Sept 23 2021, App Service certificates will require domain validation every 395 days. Unlike App Service Managed Certificate, domain re-validation for App Service Certificate will NOT be automated. Source.

How to alert of certificate expiration?

As long as certificates are Stored in Key Vault, we can rely on Azure policies such as Certificates should not expire within the specified number of days. We are able to track non-compliant certificates in Key Vault using non-compliant events in Azure Activity log using an Azure Monitor Alert but it will be complex to respond to this alert. Azure Action group offer notification but is limited to a limited set of built-in Azure roles Source and Email Azure Resource Manager Role. We could rely on the Email/SMS message /Push/voice notification type, but this need to have email addresses linked to the Azure AD Security groups we are using in Azure Hardened Subscriptions.

The only viable solution is to rely on Azure Function / Azure Automation Runbooks configured as response of the Action group. Payload will contain required information to be used to generate mail notification using a service such as SendGrid.

How to perform certificate rotation?

At App Service level, perform a sync operation from Azure App Services Certificate every 24 hours. This process will perform the certificate binding. Same process apply of certificate was stored in the Key Vault.