Azure Key Vault can be used to create or import an SSL certificate for our website. In this article, we discuss how to transfer the certificate to our VM and use it to secure our website.
What is Azure Key Vault?
Azure Key Vault is a cloud service for securely storing and accessing secrets. We can store API keys, passwords, certificates, or cryptographic keys. Access to these resources are also configurable as we can setup the firewall specific for our Key Vault or setup a private endpoint.
The sections below may depend on our use-case so feel free to skip to the sections relevant to you.
Create an Azure Key Vault
For those who don't have a Key Vault, you can create one in your resource group using the command below.
keyvault_name=<mykeyvault>
az keyvault create \
--resource-group myResourceGroupSecureWeb \
--name $keyvault_name \
--enabled-for-deployment
Generating a certificate in Key Vault
In this section, we generate a self-signed certificate but, in production, import your own certificate signed by a trusted provider.
az keyvault certificate create \
--vault-name $keyvault_name \
--name $cert_name \
--policy "$(az keyvault certificate get-default-policy)"
Storing a certificate in Key Vault
If you have your own certificate, you can import it using the command below.
az keyvault certificate import \
--vault-name "<your-key-vault-name>" \
-n "ExampleCertificate"\
-f "/path/to/ExampleCertificate.pem"
Transfering the certificate from Key Vault to VM
Once you create or import a certificate in Azure KeyVault, run the following commands below to import the certificate and private key in our VM. Update or replace the variable below with the appropriate details.
First, we obtain the certificate ID by running az keyvault secret list-versions
.
secret=$(az keyvault secret list-versions \
--vault-name $keyvault_name \
--name $cert_name \
--query "[?attributes.enabled].id" --output tsv)
Next, we need to convert the ID into something our VM can use.
vm_secret=$(az vm secret format --secret "$secret")
Finally, we update our VM's OSProfile secret value.
az vm update -n $vm_name -g $rg_name --set osProfile.secrets="$vm_secret"
OSProfile specifies the operating system settings for the virtual machine. More details about OSProfile here.
With this, we now successfully transferred the certificate in our VM.
Using the certificate
SSH into our VM and follow the steps below to use the SSL certificate for our site.
Upon running the commands, the certificate and private key will be stored in
/var/lib/waagent
. The filename will be the thumbprints as seen in Azure Key Vault.Duplicate the .crt and .prv and rename it into something more readable. For instance, you can run something similar to the following commands:
cat <key_thumbprint_here>.crt > mysite.crt
cat <key_thumbprint_here>.prv > mysite.prvMove these to
/etc/nginx/certs/
.mv mysite.crt /etc/nginx/certs/
mv mysite.prv /etc/nginx/certsUpdate Nginx config file
server {
...
listen 80;
server_name mysite.com 12.345.67.8;
listen 443 default_server ssl;
ssl_certificate /etc/nginx/certs/mysite.crt;
ssl_certificate_key /etc/nginx/certs/mysite.prv;
...
}Restart Nginx:
sudo systemctl restart nginx
.Visit your site and check if you have the lock icon beside the URL.
osProfile Issue
Creating a VM from an os disk snapshot doesn't have an osProfile. This creates a problem for the previous process as we need to update the osProfile secrets.
Below is an alternative way of importing your SSL cert to your VM.
Prepare your cert and key
This ensures that the
.pfx
file is in binary format (done by adding the flag--encoding base64
).# download your cert from Azure Key Vault and copy the file in your VM
# if you already have your cert.pfx in your local machine, skip this step
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base64
openssl pkcs12 -in <certname>.pfx -nocerts -out <certname>.key -nodes -passin pass:
openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out <certname>.crtOnce you have your cert and key ready, you can copy them using
scp
command.scp cert.crt cert.key <vmuser>@<vmip>:~
# if you specified a port
scp -P 1234 cert.crt cert.key <vmuser>@<vmip>:~This will save the files in the home directory:
cd ~
Create a new Nginx certs folder:
mkdir /etc/nginx/certs/
Move the files into the Nginx certs folder:
- Run command:
mv <certame>.crt /etc/nginx/certs/
- Run command:
mv <certname>.prv /etc/nginx/certs/
- Run command:
Update Nginx config file:
sudo vim /etc/nginx/sites-available/ctfd
Restart Nginx
- Run command:
sudo systemctl restart nginx
- Run command:
Visit your site at
https://<sitedomain>.com/
Final Thoughts
Using the Azure Key Vault is quite easy but it may be overwhelming as Microsoft has a lot of documentations for their cloud services. This article makes it easy to follow to do a simple thing such as making your site more secure with an SSL certificate.