Inhaltsverzeichnis
Azure Key Vault
Cloud: Microsoft Azure
HSM razina: FIPS 140-2 Level 2 (Standard) / Level 3 (Managed HSM)
PQ podrška: Još nije dostupna (stanje 2024)
Integracija Azure Key Vaulta za upravljanje certifikatima i ključevima.
Arhitektura
flowchart TB
subgraph AZURE["AZURE"]
subgraph KV["Key Vault"]
K[Keys]
S[Secrets]
C[Certificates]
end
subgraph HSM["Managed HSM"]
H[HSM Keys]
end
subgraph APPS["Applications"]
A1[App Service]
A2[AKS]
A3[Functions]
end
end
subgraph ONPREM["ON-PREM"]
CA[Internal CA]
end
CA -->|Import| C
K --> A1 & A2 & A3
C --> A1 & A2 & A3
H -->|Premium| K
style KV fill:#e3f2fd
style HSM fill:#e8f5e9
Postavljanje
Stvaranje Key Vaulta
# Azure CLI az login # Resource Group az group create --name rg-pki --location germanywestcentral # Key Vault (Standard) az keyvault create \ --name kv-pki-prod \ --resource-group rg-pki \ --location germanywestcentral \ --sku standard # Key Vault (Premium s HSM) az keyvault create \ --name kv-pki-prod-hsm \ --resource-group rg-pki \ --location germanywestcentral \ --sku premium
Managed HSM (FIPS 140-2 Level 3)
# Stvaranje Managed HSM az keyvault create \ --hsm-name hsm-pki-prod \ --resource-group rg-pki \ --location germanywestcentral \ --administrators "user@example.com" # Aktivacija HSM (zahtijeva 3 RSA ključa) az keyvault security-domain download \ --hsm-name hsm-pki-prod \ --sd-wrapping-keys key1.pem key2.pem key3.pem \ --sd-quorum 2 \ --security-domain-file sd.json
Upravljanje certifikatima
Import certifikata
# Import PFX certifikata az keyvault certificate import \ --vault-name kv-pki-prod \ --name server-cert \ --file server.pfx \ --password "pfx-password"
// C# - Import certifikata using Azure.Identity; using Azure.Security.KeyVault.Certificates; var client = new CertificateClient( new Uri("https://kv-pki-prod.vault.azure.net/"), new DefaultAzureCredential()); // Import PFX byte[] pfxData = File.ReadAllBytes("server.pfx"); var importOptions = new ImportCertificateOptions("server-cert", pfxData) { Password = "pfx-password" }; KeyVaultCertificateWithPolicy cert = await client.ImportCertificateAsync(importOptions); Console.WriteLine($"Importirano: {cert.Name}, Thumbprint: {cert.Properties.X509Thumbprint}");
Dohvaćanje certifikata
// C# - Učitavanje certifikata iz Key Vaulta using Azure.Identity; using Azure.Security.KeyVault.Secrets; using System.Security.Cryptography.X509Certificates; var secretClient = new SecretClient( new Uri("https://kv-pki-prod.vault.azure.net/"), new DefaultAzureCredential()); // Dohvaćanje certifikata kao Secret (sadrži privatni ključ) KeyVaultSecret secret = await secretClient.GetSecretAsync("server-cert"); byte[] certBytes = Convert.FromBase64String(secret.Value); var certificate = new X509Certificate2(certBytes); Console.WriteLine($"Subject: {certificate.Subject}"); Console.WriteLine($"Has Private Key: {certificate.HasPrivateKey}");
Stvaranje certifikata s Key Vault CA
# Definiranje politike certifikata az keyvault certificate create \ --vault-name kv-pki-prod \ --name app-cert \ --policy @cert-policy.json
// cert-policy.json
{
"issuerParameters": {
"name": "Self"
},
"keyProperties": {
"exportable": true,
"keySize": 4096,
"keyType": "RSA",
"reuseKey": false
},
"secretProperties": {
"contentType": "application/x-pkcs12"
},
"x509CertificateProperties": {
"subject": "CN=app.example.com",
"subjectAlternativeNames": {
"dnsNames": ["app.example.com", "*.app.example.com"]
},
"validityInMonths": 12
}
}
Ključevi za potpisivanje
Stvaranje Signing ključa
# EC ključ za potpise az keyvault key create \ --vault-name kv-pki-prod \ --name signing-key \ --kty EC \ --curve P-384 # RSA ključ az keyvault key create \ --vault-name kv-pki-prod \ --name rsa-signing-key \ --kty RSA \ --size 4096
Udaljeno potpisivanje
// C# - Potpisivanje s Azure Key Vault ključem using Azure.Identity; using Azure.Security.KeyVault.Keys; using Azure.Security.KeyVault.Keys.Cryptography; var keyClient = new KeyClient( new Uri("https://kv-pki-prod.vault.azure.net/"), new DefaultAzureCredential()); KeyVaultKey key = await keyClient.GetKeyAsync("signing-key"); var cryptoClient = new CryptographyClient(key.Id, new DefaultAzureCredential()); // Potpisivanje podataka byte[] dataToSign = Encoding.UTF8.GetBytes("Važan dokument"); byte[] digest = SHA384.HashData(dataToSign); SignResult signature = await cryptoClient.SignAsync( SignatureAlgorithm.ES384, digest); Console.WriteLine($"Potpis: {Convert.ToBase64String(signature.Signature)}"); // Verifikacija potpisa VerifyResult verified = await cryptoClient.VerifyAsync( SignatureAlgorithm.ES384, digest, signature.Signature); Console.WriteLine($"Verificirano: {verified.IsValid}");
App Service / AKS integracija
App Service
# Key Vault referenca u App Settings az webapp config appsettings set \ --name myapp \ --resource-group rg-app \ --settings "Certificate=@Microsoft.KeyVault(VaultName=kv-pki-prod;SecretName=server-cert)" # Aktiviranje Managed Identity az webapp identity assign \ --name myapp \ --resource-group rg-app # Key Vault Access Policy az keyvault set-policy \ --name kv-pki-prod \ --object-id <managed-identity-object-id> \ --secret-permissions get list \ --certificate-permissions get list
Azure Kubernetes Service (AKS)
# secrets-store-csi-driver.yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-keyvault-tls spec: provider: azure parameters: usePodIdentity: "false" useVMManagedIdentity: "true" userAssignedIdentityID: "<client-id>" keyvaultName: "kv-pki-prod" objects: | array: - | objectName: server-cert objectType: secret tenantId: "<tenant-id>" secretObjects: - secretName: tls-secret type: kubernetes.io/tls data: - objectName: server-cert key: tls.crt - objectName: server-cert key: tls.key
# pod-with-keyvault-cert.yaml apiVersion: v1 kind: Pod metadata: name: app-with-tls spec: containers: - name: app image: myapp:latest volumeMounts: - name: secrets-store mountPath: "/mnt/secrets-store" readOnly: true volumes: - name: secrets-store csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "azure-keyvault-tls"
Nadzor
# Aktiviranje dijagnostike az monitor diagnostic-settings create \ --name kv-diagnostics \ --resource /subscriptions/<sub>/resourceGroups/rg-pki/providers/Microsoft.KeyVault/vaults/kv-pki-prod \ --logs '[{"category": "AuditEvent", "enabled": true}]' \ --metrics '[{"category": "AllMetrics", "enabled": true}]' \ --workspace <log-analytics-workspace-id>
KQL upit za operacije s certifikatima:
AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where OperationName contains "Certificate" | project TimeGenerated, OperationName, ResultType, CallerIPAddress, identity_claim_upn_s | order by TimeGenerated desc
Kontrolna lista
| # | Točka provjere | Gotovo |
| — | —————- | ——– |
| 1 | Key Vault stvoren | ☐ |
| 2 | Access Policies konfigurirane | ☐ |
| 3 | Certifikati importirani | ☐ |
| 4 | Managed Identity za aplikacije | ☐ |
| 5 | Dijagnostika aktivirana | ☐ |
| 6 | Backup konfiguriran | ☐ |
Povezana dokumentacija
- AWS KMS - Alternativni Cloud
- HashiCorp Vault - Multi-Cloud
- Kubernetes Cert-Manager - K8s integracija
« <- Cloud integracija | -> AWS KMS »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 01:35
