Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Using Private Keys from an Azure Key Vault

  1. Last updated
  2. Save as PDF

You can use private keys stored in an Azure Key Vault for required certificates to enable cloud communication with clients over SSL-secured connections.

Azure Key Vault is a Cloud Service that provides secure storage of private keys, passwords, and certificates. These keys can be used in a hybrid environment where you are working with the Cloud to protect your network against threats arising from the web.

An instance of an Azure Key Vault with an application for private key handling and the private keys are created on the Azure platform. A certificate that requires a key when a signature is generated to enable its use is imported on Secure Web Gateway cloud.

The certificate is used when Secure Web Gateway cloud controls web access over SSL-secured connections by clients that cloud users of your organization work with.
 

Private Key Handling

A private key stored in an Azure Key Vault does not become embedded in any settings maintained on Secure Web Gateway.

When a private key is needed for a certificate, Secure Web Gateway Cloud submits an application ID, tenant ID, key ID, and a password to obtain a token for access to the Azure Key Vault instance that has been set up to store private keys for use by Secure Web Gateway Cloud.

After receiving the token, Secure Web Gateway Cloud sends an HTTPS request to obtain the signature required to use the certificate.

Create an Azure Key Vault and a Private Key

Azure Key Vault provides API-based private key storage, optionally utilizing Hardware Security Modules (HSMs). This setup enables TLS content inspection within Server-Side Encryption (SSE) without needing to embed the Certificate Authority's private key in the Secure Web Gateway (SWG) settings. However, it does not include the management of server keys for issued certificates. Users are responsible for establishing, maintaining, and funding their own Azure Key Vault instance.

Once set up, the following information needs to be configured in the SSE UI under Feature Configuration > HTTPS Connection:

  1. Tenant ID / Directory ID
  2. Application ID / Client ID
  3. Application secret (password only, as certificate-based authentication is not supported)
  4. URL to RSA key
  5. CA (intermediate or root) information, which is not covered in the provided documentation.

This configuration allows for integrating Azure Vault's capabilities securely into SSE for managing private keys used in TLS connections.

Here are the steps to generate and configure a client application, create a vault, generate a key, and establish the necessary connections between them:

  1. Login into Microsoft Azure, navigate to Microsoft Entry ID > App registration, and register an application.
  2. Add a name for the new application (here: app_for_docu) and proceed with Register.
  3. After the application is registered take note of the Application (client) ID and the Directory (tenant) ID. In further configuration steps the API permissions need to be set and client credentials generated.
  4. Click View API permissions and add Azure Key Vault permissions.
  5. On the application’s overview page click Add certificate or secret and copy the created secret that will be displayed after a click Add.
  6. Create a Key Vault instance under Home > Create a resource.
  7. Define the required properties for the key vault. If one would like to generate and store the key on a physical HSM, the Premium pricing tier needs to be selected.
  8. Wait until the new Key Vault instance is created and click Go to the resource.
  9. Link the created app app_for_docu with the appropriate permissions to the vault vault-for-doc: Under the vault instance > Access Control (IAM) > Add role assignment, select the role Key Vault Crypto User, under Members, select the application, review, and save.
  10. To generate a key (RSA), the current user that is logged into Azure needs to be added to the vault with the role Key Vault Administrator following the instruction of step 9 (exchange role and member).
  11. Generate the key and finally copy the Key Identifier.
  12. Create a HTTPS Connection Options feature configuration. Import the Certificate Authority and add the collected data. After the new feature configuration is created it must be referenced in the HTTPS Connection Options ruleset.

An Azure Key Vault is now available for storing private keys and using their data for certificate handling on Secure Web Gateway cloud.

Configure Use of a Private Key from an Azure Key Vault

To configure use of a private certificate key that is stored in an Azure Key Vault, provide settings for the module that handles communication with Secure Web Gateway cloud clients over an SSL-secured connection.

To provide these settings you import a certificate with the private key assigned to it.

  1. Select Policy | Web Policy > Feature Configuration.
  2. Select the HTTP Connection > Customer CA.
  3. On the Certificate Authority page, click three dots next to See Details, and click Import.
  4. Import a certificate with a private key from an Azure Key Vault assigned to it.
    1. In the window that opens, click Browse below CA Certificate, and locate a certificate file.
    2. Under Private key, select Use Azure Vault.
      certificateModal2.png
    3. Fill these input fields with the values you noted down when setting up the Azure Key Vault with the private key.
      • Tenant ID
      • Key ID
      • App ID
      • Password
    4. Click Import.

The certificate is imported. Its key ID and other properties are shown in the settings pane.

  1. Click Save Changes.

A private key is now available in an Azure Key Vault for use with an SSL certificate.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.