Microsoft Azure Key Vault service can renew your SSL certificates automatically in order to prevent any application or service outage, credential leak, or process violation that can disrupts your business. As long as your information with the public Certificate Authority (CA) is up-to-date, the Auto-Renewal feature does not require any action from you. The Key Vault service retrieves the new certificate before your old one expires and the Azure App service picks up the renewed certificate automatically and performs the SSL re-binding.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When SSL certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the Azure service or application that implements the certificates is no longer secure and may become interrupted. Configuring the Key Vault service to send an email notification just before your SSL certificates expires does not guarantee success, therefore to reduce the chances of an outage or to prevent insecure communication between the application and its clients, Cloud Conformity strongly recommends enabling Auto-Renewal feature. Once Auto-Renewal is enabled, when your certificate is about to expire, Azure Key Vault attempts to renew the certificate using the public CA that you provided.
Note: Having an up-to-date public Certificate Authority (CA) is vital for the Auto-Renewal feature. This conformity rule assumes that your public CA is valid and active within your Azure Key Vault service settings.
Audit
To determine if Auto-Renewal is enabled for your Azure Key Vault SSL certificates, perform the following actions:
Remediation / Resolution
To enable and configure Auto-Renewal feature for all your Azure Key Vault SSL certificates, perform the following actions:
References
- Azure Official Documentation
- About keys, secrets, and certificates
- Get started with Key Vault certificates
- Manage certificates via Azure Key Vault
- Azure Command Line Interface (CLI) Documentation
- az keyvault list
- az keyvault certificate list
- az keyvault certificate show
- az keyvault certificate set-attributes