Create a Microsoft Azure Private Key Vault machine¶

Creating a new machine is the first step in enabling Certificate Manager - SaaS to connect directly to application keystores for certificate management. After creating machines, you can begin provisioning certificates to them.

Before you begin¶

You will need the following information to complete this procedure:

Tenant ID
Credentials: Choose between user credentials or shared credentials.
- User credentials: The account you use must have administrative permissions.
- Shared credentials: Optionally, you can use shared credentials from your credential provider (CyberArk is the only credential provider currently supported by Certificate Manager - SaaS). To use this option, first set up the connection to CyberArk.
Client ID
Client secret
Key Vault name
At least one active VSatellite to provision certificates to Azure

CyberArk permissions for Azure: You must specify these permissions when defining the role's permission policy.

Tip

If your organization uses Azure custom RBAC roles instead of built-in roles, you must add the required Key Vault permissions to that custom role before creating a Private Key Vault machine.

For detailed instructions, including the full JSON example for the required Key Vault permissions, see Configure Azure Key Vault connection.

That topic includes the complete JSON block used to define the custom role:

"permissions": [
    {
        "actions": [
            "Microsoft.KeyVault/vaults/read",
            "Microsoft.KeyVault/vaults/secrets/read"
        ],
        "notActions": [],
        "dataActions": [
            "Microsoft.KeyVault/vaults/certificates/read",
            "Microsoft.KeyVault/vaults/certificates/update/action",
            "Microsoft.KeyVault/vaults/certificates/create/action",
            "Microsoft.KeyVault/vaults/certificates/import/action"
        ],
        "notDataActions": []
    }
]

Use this JSON when defining the custom role’s permission policy so Certificate Manager - SaaS can manage certificates in your Key Vault.

Enter the Tenant ID.
Enter the Client ID.
Enter the Client Secret.
Info
- Azure Application (client) ID – The Active Directory Application ID. This is the unique identifier for an application created in Active Directory. You can have many applications in an Active Directory, each with different access levels.
- Azure (tenant) ID – The unique identifier of the Azure Active Directory instance. One subscription can have multiple tenants. The Tenant ID is used to register and manage your apps.
- Azure Client secret – A credential used to authenticate and authorize a client application when it interacts with Azure services.
Enter the Key Vault Name.

Note

Certificate Manager - SaaS uses the name you enter to automatically build the global Key Vault URL.
This means the integration does not require listing subscriptions or discovering Key Vaults in Azure.
Click Test Access, then click Continue.
Continue is available only after a successful test.

What's next?¶

Refer back to Create a new machine to finish setting up your new machine by configuring discovery and provisioning schedules.

For existing machines:

Once you have created one or more machines, you can provision certificates to those machines.
You can also discover certificates on machines to easily track certificates deployed to your machines.