Integration with Azure Key Vault

PAM360 integrates with Microsoft Azure Key Vault — a cloud service for managing SSL certificates. This integration enables users to request, renew, and manage the SSL certificates stored in the Azure Key Vault by importing them into the PAM360 repository. You can automatically renew certificate requests and automate the end-to-end lifecycle management of SSL/TLS certificates stored and managed in the Azure Key Vault, directly from the PAM360 web interface.

How does the PAM360 - Azure Key Vault Integration Work?
Importing Azure Key Vault
Managing Certificates from Azure Key Vault
3.1 Discovering Certificates from Azure Key Vault
3.2 Creating a Certificate Request
3.3 Renewing, Deleting, Filtering all Versions of Certificates
Azure TLS Secret Management from PAM360
4.1 Discovering TLS Secrets from Azure Key Vault
4.2 Managing Azure TLS Secrets from PAM360

1. How does the PAM360 – Azure Key Vault Integration Work?

Let's say you manage a number of Key Vaults in the Azure portal and each of those Key Vaults contains a number of SSL certificates. PAM360 lets you add your Azure credentials in the product and then automatically imports the Key Vaults corresponding to your Azure credentials into the PAM360 repository. Once your Key Vaults are added, you may discover the certificates that are stored in the Key Vaults using the discovery operation. PAM360 allows you to create new certificate requests and renew the existing certificates that are both created in PAM360 and imported from Azure Key Vault. You can import and manage different versions of the same certificate from the Key Vaults.

Prerequisites:

To perform the PAM360 - Azure Key Vault integration, the following Azure Credentials are required: Application/client ID, Directory/tenant ID, Subscription ID, and client secret.
You must provide API Access permission to the Key Vault from which you wish to import certificates into PAM360. The Key Vaults you are importing into PAM360 must also have the following permissions: Key permissions, Secret permissions, Certificate permissions under Access Policies.
The Key Vault owner must have permission to list the key vaults. To grant this, go to Access Control (IAM) >> Add >> Add role assignment and select Assign access to as User, group, or service principal.

2. Importing Azure Key Vaults

To import all key vaults that are being managed in the Azure portal, you must add your Azure credentials in PAM360. Follow the below steps:

Navigate to 'Certificates >> Azure'.
Go to Manage and click Add.
In the Add Azure Credentials pop-up, enter the following attributes:
- Credential Name - enter a unique credential name
- Subscription ID
- Directory ID
- Application ID
- Key
Click Save.

Once your credentials are saved, all the key vaults that are related to the saved credential will be automatically imported into PAM360. All the imported vaults will be visible under the Key Vault tab. In case the key vaults are not imported, click the Sync button to manually kick-start the process. If you have any Issuer IDs saved in your Azure portal, press Sync and choose a Key Vault from the pop-up that appears. Now all the issuer certificates from the selected Key Vault will be listed under the Issuer tab.
azure-keyvault-3

3. Managing Certificates from Azure Key Vault

3.1 Discovering Certificates from Azure Key Vault

PAM360 enables you to discover, import, and configure expiry notifications for SSL certificates managed in the Azure portal.

Navigate to 'Certificates >> Discovery >> Azure'.
Choose the following attributes from the drop-downs:

Credential Name - The Azure credential from which you wish to import key vaults.
Key Vault - Choose the required key vault from which you wish to import certificates. In case you find that the certificates list is not fully updated, click the sync icon available beside the Key Vault drop-down to manually sync the certificate list from the Azure portal.
Select the Import Previous Versions option to import all available versions of the certificates in the key vault. Click Import.

Now all the certificates from the selected Azure Key Vault will be imported and populated in the Azure tab.

Note: Please note that every version of a certificate will be considered as an individual certificate in PAM360 and therefore will impact your license count.

3.2. Creating a Certificate Request

PAM360 allows you to create SSL certificate requests for your Azure credential in the Azure key vault that you require. You can even create new versions of existing certificates by providing the same certificate name. All the certificate requests created in PAM360 will be automatically updated in the Azure portal. Follow the below steps:

Navigate to 'Certificates >> Azure' and click Request Certificate.
Choose your Azure Credential and the required key vault from the dropdown.
Provide attributes such as the certificate name, domain name, SANs - You can add multiple SAN values separated by a comma.
Enter an email address, choose a Key Algorithm and Key Size from the dropdowns and enter location details.
Enter the certificate validity in months and choose a Lifetime Action from the dropdown. You can choose to either auto renew the certificate upon expiry or choose to send an email notification to your certificate contacts in the Azure portal.
Enter the number of days before which the chosen Lifetime Action must be invoked.
To add optional properties to the new certificate, click Advanced Options to expand the menu. Here, there are two categories of options, Key Usage and Extended Key Usage. Select the required options to set the preferred flags for the certificate to denote the purpose for which the new certificate may be used. The Key Usage options include Non Repudiation, Digital Signature, Data or Key Encipherment, Server/Client Authentication etc. You can choose the properties and mark them as critical by selecting the checkbox.
After adding all the details, click Request Certificate. A new certificate request is created in both PAM360 and the Azure portal.

Once the request is created, go to the Request Status tab to view the status and other details pertaining to a certificate. To obtain the latest certificate from your request, click the Obtain Certificate option available beside the certificate. The following operations can be done on the certificates being managed from the Azure tab:

Obtain Certificate - This option retrieves the selected certificate from the Azure portal.

Obtain History - This option retrieves all the versions of the selected certificate from the Azure portal.

3.3 Renewing, Deleting, Filtering all Versions of Certificates

3.3.1 Renewing Certificates

PAM360 allows you to renew Azure certificates right from the PAM360 interface.

Select a certificate that you wish to renew and click the Renew option at the top.
Enter the validity in months and click Renew. The certificate will be renewed with the specified validity period and will be updated in both PAM360 and the Azure portal.

Notes:

Please note that you cannot renew the following certificates:

Certificates that were issued by a third-party issuer and are currently being managed in the Azure Portal.
Previous versions of existing certificates.

3.3.2 Deleting Certificates

To delete certificates:

Select one or more certificates using the checkboxes.
Click Delete from the top menu.

Notes: Please note that the certificate will be deleted only from the PAM360 interface and this operation will not impact the certificate's status in the Azure portal.

3.3.3 Filtering Certificates

To filter versions of certificates, click the Show dropdown and choose from the options:

Current Certificate - This option will display only the current versions of the certificates.
Previous Versions - This option will display older versions of the available certificates.
All - This option will display all versions of the available certificates.

4. Azure TLS Secret Management from PAM360

As part of the integration, you can manage the Azure TLS secrets stored in Azure key vault alongside SSL certificates from PAM360. Additionally, PAM360 allows you to create new TLS secrets and deploy them to the desired Azure key vault.

Note: Only TLS secrets of the Azure key vault will be managed under Azure Secrets of PAM360.

4.1 Discovering TLS Secrets from Azure Key Vault

To discover TLS secrets stored in Azure Key Vault and effectively manage them, PAM360 offers a seamless solution. Follow the below steps to discover the TLS secrets from Azure Key Vault to PAM360.

Navigate to Certificates >> Discovery >> Azure or Certificates >> Azure >> Azure Secrets >> Discovery.
Choose the appropriate Credential Name, Key Vault and Discovery Type to initiate the discovery process for the desired TLS secrets. To add a new Azure credential for importing TLS secrets, use the Add Azure credential button beside the Credential Name field.
If you wish to store the certificates discovered through secrets in PAM360' SSL repository, enable the checkbox labeled 'Add discovered certificate type secrets to Certificates'.
Finally, click on Import to discover TLS secrets from Azure Key Vault effortlessly to PAM360.

4.2 Managing Azure TLS Secrets from PAM360

To effectively manage Azure TLS secrets using PAM360, follow these steps:

Navigate to Certificates >> Azure >> Azure Secrets in PAM360. Here, you will find a comprehensive list of all the discovered and newly created TLS secrets of Azure Key Vault.

To create a new Azure TLS secret from PAM360, click Create Secret in the top pane. Provide the required information in the pop-up window, such as Credential Name, Key Vault, and Secret Name, and upload the SSL certificate in .pfx format. Fill in the remaining fields, select the Secret Status, and click Create Secret.

For updating a Azure TLS secret, select the respective secret and click Update Secret in the top pane. In the pop-up window, modify the Activate/Expiration Date and Secret Status as needed, and click Save.
In some cases, the version of a Azure TLS secret might be updated in the Microsoft Azure portal and not synchronized with PAM360. To maintain sync status, follow these steps:

Select the relevant Azure TLS secret, click Rediscover in the top pane, and allow the rediscovery process to complete. This will update the TLS secret to the latest version.
To obtain the new version of a secret's certificate, click on the Obtain Certificate icon next to the Secret Status. Choose the appropriate credential associated with the secret's key vault and click Obtain Certificate. The new version of the secret's certificate will be updated in PAM360, and you can verify or export it by clicking on the View Associated Certificate icon.

If needed, you can delete Azure TLS secrets from PAM360 using the Delete button in the top pane. Select the desired Azure TLS secrets for deletion and click Delete to proceed.

Note: Remember that deleting a Azure TLS secret from PAM360 does not permanently remove it from Azure Key Vault. To delete the TLS secret permanently, you must do so from the Azure portal.


Integration with Azure Key Vault PAM360 integrates with Microsoft Azure Key Vault — a cloud service for managing SSL certificates. This integration enables users to request, renew, and manage the SSL certificates stored in the Azure Key Vault by importing them into the PAM360 repository. You can automatically renew certificate requests and automate the end-to-end lifecycle management of SSL/TLS certificates stored and managed in the Azure Key Vault, directly from the PAM360 web interface. How does the PAM360 - Azure Key Vault Integration Work? Importing Azure Key Vault Managing Certificates from Azure Key Vault 3.1 Discovering Certificates from Azure Key Vault 3.2 Creating a Certificate Request 3.3 Renewing, Deleting, Filtering all Versions of Certificates Azure TLS Secret Management from PAM360 4.1 Discovering TLS Secrets from Azure Key Vault 4.2 Managing Azure TLS Secrets from PAM360 1. How does the PAM360 – Azure Key Vault Integration Work? Let's say you manage a number of Key Vaults in the Azure portal and each of those Key Vaults contains a number of SSL certificates. PAM360 lets you add your Azure credentials in the product and then automatically imports the Key Vaults corresponding to your Azure credentials into the PAM360 repository. Once your Key Vaults are added, you may discover the certificates that are stored in the Key Vaults using the discovery operation. PAM360 allows you to create new certificate requests and renew the existing certificates that are both created in PAM360 and imported from Azure Key Vault. You can import and manage different versions of the same certificate from the Key Vaults. Prerequisites: To perform the PAM360 - Azure Key Vault integration, the following Azure Credentials are required: Application/client ID, Directory/tenant ID, Subscription ID, and client secret. You must provide API Access permission to the Key Vault from which you wish to import certificates into PAM360. The Key Vaults you are importing into PAM360 must also have the following permissions: Key permissions, Secret permissions, Certificate permissions under Access Policies. The Key Vault owner must have permission to list the key vaults. To grant this, go to Access Control (IAM) >> Add >> Add role assignment and select Assign access to as User, group, or service principal. 2. Importing Azure Key Vaults To import all key vaults that are being managed in the Azure portal, you must add your Azure credentials in PAM360. Follow the below steps: Navigate to 'Certificates >> Azure'. Go to Manage and click Add. In the Add Azure Credentials pop-up, enter the following attributes: Credential Name - enter a unique credential name Subscription ID Directory ID Application ID Key Click Save. Once your credentials are saved, all the key vaults that are related to the saved credential will be automatically imported into PAM360. All the imported vaults will be visible under the Key Vault tab. In case the key vaults are not imported, click the Sync button to manually kick-start the process. If you have any Issuer IDs saved in your Azure portal, press Sync and choose a Key Vault from the pop-up that appears. Now all the issuer certificates from the selected Key Vault will be listed under the Issuer tab. 3. Managing Certificates from Azure Key Vault 3.1 Discovering Certificates from Azure Key Vault PAM360 enables you to discover, import, and configure expiry notifications for SSL certificates managed in the Azure portal. Navigate to 'Certificates >> Discovery >> Azure'. Choose the following attributes from the drop-downs: Credential Name - The Azure credential from which you wish to import key vaults. Key Vault - Choose the required key vault from which you wish to import certificates. In case you find that the certificates list is not fully updated, click the sync icon available beside the Key Vault drop-down to manually sync the certificate list from the Azure portal. Select the Import Previous Versions option to import all available versions of the certificates in the key vault. Click Import. Now all the certificates from the selected Azure Key Vault will be imported and populated in the Azure tab. Note: Please note that every version of a certificate will be considered as an individual certificate in PAM360 and therefore will impact your license count. 3.2. Creating a Certificate Request PAM360 allows you to create SSL certificate requests for your Azure credential in the Azure key vault that you require. You can even create new versions of existing certificates by providing the same certificate name. All the certificate requests created in PAM360 will be automatically updated in the Azure portal. Follow the below steps: Navigate to 'Certificates >> Azure' and click Request Certificate. Choose your Azure Credential and the required key vault from the dropdown. Provide attributes such as the certificate name, domain name, SANs - You can add multiple SAN values separated by a comma. Enter an email address, choose a Key Algorithm and Key Size from the dropdowns and enter location details. Enter the certificate validity in months and choose a Lifetime Action from the dropdown. You can choose to either auto renew the certificate upon expiry or choose to send an email notification to your certificate contacts in the Azure portal. Enter the number of days before which the chosen Lifetime Action must be invoked. To add optional properties to the new certificate, click Advanced Options to expand the menu. Here, there are two categories of options, Key Usage and Extended Key Usage. Select the required options to set the preferred flags for the certificate to denote the purpose for which the new certificate may be used. The Key Usage options include Non Repudiation, Digital Signature, Data or Key Encipherment, Server/Client Authentication etc. You can choose the properties and mark them as critical by selecting the checkbox. After adding all the details, click Request Certificate. A new certificate request is created in both PAM360 and the Azure portal. Once the request is created, go to the Request Status tab to view the status and other details pertaining to a certificate. To obtain the latest certificate from your request, click the Obtain Certificate option available beside the certificate. The following operations can be done on the certificates being managed from the Azure tab: Obtain Certificate - This option retrieves the selected certificate from the Azure portal. Obtain History - This option retrieves all the versions of the selected certificate from the Azure portal. 3.3 Renewing, Deleting, Filtering all Versions of Certificates 3.3.1 Renewing Certificates PAM360 allows you to renew Azure certificates right from the PAM360 interface. Select a certificate that you wish to renew and click the Renew option at the top. Enter the validity in months and click Renew. The certificate will be renewed with the specified validity period and will be updated in both PAM360 and the Azure portal. Notes: Please note that you cannot renew the following certificates: Certificates that were issued by a third-party issuer and are currently being managed in the Azure Portal. Previous versions of existing certificates. 3.3.2 Deleting Certificates To delete certificates: Select one or more certificates using the checkboxes. Click Delete from the top menu. Notes: Please note that the certificate will be deleted only from the PAM360 interface and this operation will not impact the certificate's status in the Azure portal. 3.3.3 Filtering Certificates To filter versions of certificates, click the Show dropdown and choose from the options: Current Certificate - This option will display only the current versions of the certificates. Previous Versions - This option will display older versions of the available certificates. All - This option will display all versions of the available certificates. 4. Azure TLS Secret Management from PAM360 As part of the integration, you can manage the Azure TLS secrets stored in Azure key vault alongside SSL certificates from PAM360. Additionally, PAM360 allows you to create new TLS secrets and deploy them to the desired Azure key vault. Note: Only TLS secrets of the Azure key vault will be managed under Azure Secrets of PAM360. 4.1 Discovering TLS Secrets from Azure Key Vault To discover TLS secrets stored in Azure Key Vault and effectively manage them, PAM360 offers a seamless solution. Follow the below steps to discover the TLS secrets from Azure Key Vault to PAM360. Navigate to Certificates >> Discovery >> Azure or Certificates >> Azure >> Azure Secrets >> Discovery. Choose the appropriate Credential Name, Key Vault and Discovery Type to initiate the discovery process for the desired TLS secrets. To add a new Azure credential for importing TLS secrets, use the Add Azure credential button beside the Credential Name field. If you wish to store the certificates discovered through secrets in PAM360' SSL repository, enable the checkbox labeled 'Add discovered certificate type secrets to Certificates'. Finally, click on Import to discover TLS secrets from Azure Key Vault effortlessly to PAM360. 4.2 Managing Azure TLS Secrets from PAM360 To effectively manage Azure TLS secrets using PAM360, follow these steps: Navigate to Certificates >> Azure >> Azure Secrets in PAM360. Here, you will find a comprehensive list of all the discovered and newly created TLS secrets of Azure Key Vault. To create a new Azure TLS secret from PAM360, click Create Secret in the top pane. Provide the required information in the pop-up window, such as Credential Name, Key Vault, and Secret Name, and upload the SSL certificate in .pfx format. Fill in the remaining fields, select the Secret Status, and click Create Secret. For updating a Azure TLS secret, select the respective secret and click Update Secret in the top pane. In the pop-up window, modify the Activate/Expiration Date and Secret Status as needed, and click Save. In some cases, the version of a Azure TLS secret might be updated in the Microsoft Azure portal and not synchronized with PAM360. To maintain sync status, follow these steps: Select the relevant Azure TLS secret, click Rediscover in the top pane, and allow the rediscovery process to complete. This will update the TLS secret to the latest version. To obtain the new version of a secret's certificate, click on the Obtain Certificate icon next to the Secret Status. Choose the appropriate credential associated with the secret's key vault and click Obtain Certificate. The new version of the secret's certificate will be updated in PAM360, and you can verify or export it by clicking on the View Associated Certificate icon. If needed, you can delete Azure TLS secrets from PAM360 using the Delete button in the top pane. Select the desired Azure TLS secrets for deletion and click Delete to proceed. Note: Remember that deleting a Azure TLS secret from PAM360 does not permanently remove it from Azure Key Vault. To delete the TLS secret permanently, you must do so from the Azure portal.