Reputation: 151
Azure Key Vault Certificate Difference Between Certificate Identifier, Secret Identifier, Key Identifier
I have worked with secrets stored in Azure Key Vault but this is the first time using certificate for authentication rather than a secret.
I have a certificate stored in Azure Key Vault. I want to use this certificate to authenticate with Azure AD application.
I understand, for secrets stored in Azure Key Vault, we can refer them in a Azure Function via applications settings by using @Microsoft.KeyVault(SecretUri='secretIdentifier').
I noticed that there are three types of identifiers for a certificate: key, secret, and certificate identifier. What is the difference between these and what purpose does each of these serve?
Also, can we access certificate through secret identifier using @Microsoft.KeyVault(SecretUri='Certificate's Secret Identifier') and use if for authenticating? If we can, are there any caveats to this approach?
Lastly, why is using a certificate for authentication is considered a better approach rather than using a secret?
So far, I haven't been able to find an explanation that is easily understandable for a person who has not used certificates before. Any suggestion/explanation will be highly appreciated.
Upvotes: 2
Views: 3469
Answers (2)
Reputation: 10543
https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates mentions that
When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata.
and
When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format.
Thus, "Certificate's Secret Identifier" provides the way for tools to get hold of "the actual bytes" of the certificate together with its private key. As an example, it is the secret identifier for the certificate that can be provided to the HTTPS listener of an Application Gateway in order for that certificate to be used as the HTTPS certificate.
Upvotes: 0
Reputation: 10682
For the difference between Keys, Secrets, and Certificates, please refer to Azure Key Vault documentation, under Object Types:
Think of Secrets as passwords and connection strings. Keys are cryptographic keys that can be generated using various algorithms. And Certificates are keys (or key pairs) with optional policies such as auto rotation.
There is an advantage in authenticating using a certificate instead of a secret. The advantage is a certificate has a private and a public key part. The recipient of your API call can authenticate who you are using only the public portion of your certificate, while you safely safeguard the private part in your key vault. Secrets are shared between calling and called parties and are transmitted over the wire, and therefore there are more opportunities for them to leak.
Upvotes: 1
Related Questions
- Azure Key Vault and Certificate - .NET Framework ClientCertificateCredential access to Secrets
- Accessing Key vault in Azure active directory App registration
- Azure Key Vault Certificate: the key was not found
- Azure Key Vault Certificate based Authenication
- Difference between azure key vault and azure web token
- What is difference between Keys and Secrets in Azure Key Vault?
- Azure.Security.KeyVault.Secrets vs Microsoft.Azure.KeyVault
- Certificate Authentication in Key Vault
- Use certificate in Azure Key Vault to sign IdentityServer4
- Key Vault Keys vs Secrets