Certificate as a Service on a TDP Landing Zone

Overview

The service aims to simplify Certificate Management for Landing Zone Users, by providing an easy way to generate and renew certificates for their applications.

The high level architecture of the service is as follows:

Subscribe to the service

To subscribe to the service, please make a request on Post-it.

This will activate the step 2 of the workflow described above. A new Event Grid Topic will be created in the Landing Zone, forwarding activity logs events to a Service Bus queue in order to process tag changes for every Key Vault in the Landing Zone.

Request a CertificateHowTo-Guides/how-to-get-vulnerability-data-over-IaaS-LandingZones.md

To request a certificate, you only need to add a tag to the Key Vault where you want to store the certificate in your Landing Zone.

The tag should have the following properties :

• Name : tdpcert-certificate_display_name where the certificate_display_name is the name you want to give to the secret that will contain the certificate.
• Value : The certificate Common Name you want (ex: myapp.thaledigital.io).

Limitations :

• The Value can only contain one domain name at the moment (can be a wildcard domain name).

The certificate will be generated and stored as a secret in the Key Vault. The secret name will be the certificate_display_name you provided in the tag.

Certificate Renewal

The service will automatically renew the certificate 30 days before its expiration date. The new certificate will be stored in the same secret in the Key Vault (as a new version).