Get a Thales Certificate

This document aims to provide required information and procedures to request a Thales certificate to be used in your Azure Hardened Subscription. Required vocabulary is available in the Glossary.

Introduction

Azure services are provided using their own set of certificates. For example, when we provision a Storage Account, we are using Microsoft wildcard certificates such as:

*.blob.core.windows.net
*.file.core.windows.net
*.queue.core.windows.net
*.table.core.windows.net
...

Theses public DNS domain are owned by Microsoft. For some services, we can bring our own public DNS domain. Once we choose to use our custom DNS domain name we must also provide a valid public certificate. That's a common scenario for web-based workload that need to be exposed with a minimum level of security. Service like Azure application gateway need a valid certificate (public or private) to act a a reverse proxy. This Azure service will be required if you plan to expose a web-based workload.

Certificate usages

A certificate can be requested for multiple scenarios (Server Authentication, Client Authentication, ...), most of the time we need a Server Authentication certificate. This certificate will be delivered by a certificate authority that can be public or private. At TDF, we consider that :

Private DNS domain (and sub-domains) tdp.infra.thales are private DNS zones, so certificate will be delivered by Thales certification authorities described in the next section of this document.
Public DNS domain (and sub-domains) thalesdigital.io are public DNS zones, certificate will be delivered by a public certification authority described in the next section of this document.

How to request certificates

For Thales internal usage only

Certificates delivered by Thales certification authorities can only be requested from the Thales network (from SWIT Thales device). This document provide the detailed steps : KB-Server-Certificate-request-process . This document is extracted from the Thales internal Knowledge base. Please connect to the Thales Network from a from SWIT Thales device to get updated process and perform your request.

TDF BL consumers are responsible to request and renew their certificates. If a certificate is compromise, TDF BL consumer is also responsible to request certificate revocation.

Extract of documentation :

Server Certificat request Process for tdp.infra.thales domain:
the process is discribe on https://kiss.service-now.com/kb?id=kb_article_view&sysparm_article=KB0019250
To sum up :
      - one validation stream: form to be completed and validated by an SSI representative (cf. https://kiss.service-now.com/kb?id=kb_article_view&sysparm_article=KB0019249)
      - one technique stream: generate the CSR and push into the PKI with the first stream ticket number

For Thales external usages only

At time of writing, there is no formal process to request public certificates. Multiple solutions are available:

Azure App Service Certificates
Let's Encrypt
Any public certification authority natively recognized by all operating systems

Some scenarios using Azure Application Gateway are documented on this page : How to get public certificate page.

Certificate best practices

Rely on Azure Key Vault to store your certificates
Restrict who can access to your certificates (especially PFX files)
Set a strong password for Certificate PFX storage
Don't wait for the certificate expiration to start the certificate renewal process

Introduction​

Certificate usages​

How to request certificates​

For Thales internal usage only​

For Thales external usages only​