You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Firewall | UUF | Clarify Key Vault secret vs certificate type for TLS inspection
Resolves UUF #275402 - Azure Firewall Premium certificates article was ambiguous
about how certificates are accessed from Key Vault. Azure Firewall uses the Secrets
interface exclusively. Added a NOTE callout clarifying Secret permissions are always
required, not Certificate permissions.
Co-authored-by: Copilot <[email protected]>
Copy file name to clipboardExpand all lines: articles/firewall/premium-certificates.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: duongau
5
5
ms.service: azure-firewall
6
6
services: firewall
7
7
ms.topic: concept-article
8
-
ms.date: 12/11/2022
8
+
ms.date: 03/23/2026
9
9
ms.author: duau
10
10
ms.custom: sfi-image-nochange
11
11
# Customer intent: As a network engineer, I want to configure TLS inspection on Azure Firewall Premium using Intermediate CA certificates stored in Azure Key Vault, so that I can ensure secure traffic management and compliance with organizational standards.
@@ -66,10 +66,12 @@ Ensure your CA certificate complies with the following requirements:
66
66
67
67
To configure your key vault:
68
68
69
-
- You need to import an existing certificate with its key pair into your key vault.
70
-
- Alternatively, you can also use a key vault secret that's stored as a password-less, base-64 encoded PFX file. A PFX file is a digital certificate containing both private key and public key.
71
-
- It's recommended to use a CA certificate import because it allows you to configure an alert based on certificate expiration date.
72
-
- After you import a certificate or a secret, you need to define access policies in the key vault to allow the identity to be granted get access to the certificate/secret.
69
+
- Store your intermediate CA certificate as a **Key Vault secret** using a password-less, base-64 encoded PFX file. A PFX file is a digital certificate containing both a private key and public key. Azure Firewall accesses the certificate exclusively through the Key Vault **Secrets** interface.
70
+
- Alternatively, you can import the certificate using the Key Vault **Certificates** feature. When you do this, Key Vault automatically creates a corresponding secret with the same name, which Azure Firewall uses to access the certificate. Using the Certificates feature is recommended because it lets you configure expiration alerts.
71
+
- After you store the certificate, define access policies in the key vault to grant the managed identity **Get** and **List** permissions under **Secret Permissions**.
72
+
73
+
> [!NOTE]
74
+
> Azure Firewall does not support accessing certificates stored solely as Key Vault Certificate objects without a corresponding secret. Regardless of how you import the certificate, the managed identity must have **Secret** permissions (not Certificate permissions) on the key vault.
73
75
- The provided CA certificate needs to be trusted by your Azure workload. Ensure they are deployed correctly.
74
76
- Since Azure Firewall Premium is listed as Key Vault [Trusted Service](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services), it allows you to bypass Key Vault internal Firewall and to eliminate any exposure of your Key Vault to the Internet.
75
77
@@ -116,7 +118,7 @@ The scripts generate the following files:
116
118
>
117
119
After the certificates are created, deploy them to the following locations:
118
120
- rootCA.crt - Deploy on endpoint machines (Public certificate only).
119
-
- interCA.pfx - Import as certificate on a Key Vault and assign to firewall policy.
121
+
- interCA.pfx - Store as a secret in Azure Key Vault and assign to firewall policy.
0 commit comments