KeyVault certificate renew RSA key pair

Question

I have generated a self-signed RSA certificate in Azure KeyVault. When creating a new version of the certificate manually or automatically via the auto-renew feature, I noticed that the public/private key pair is not rotated, only the certificate part is renewed, and signed with the original key.

How can I rotate the key pair as well, which I want to do periodically for security reasons, in case the private key gets leaked through some means?

Answer 1

When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret.

From RFC.

Certificate renewal means the issuance of a new certificate to the subscriber without changing the subscriber or other participant's public key or any other information in the certificate:

• Circumstances under which certificate renewal takes place, such as where the certificate life has expired, but the policy permits the same key pair to be reused;

Certificate Re-key Certificate Re-key means generating a new key pair and applying for the issuance of a new certificate that certifies the new public key:

• Circumstances under which certificate re-key can or must take place, such as after a certificate is revoked for reasons of key compromise or after a certificate has expired and the usage period of the key pair has also expired;

Azure KeyVault self-signed certificate certificate renewal do not rotate public/private key pair by default.

You can rotate it by updating the policy for your certificate in the Azure KeyVault, where you can set ReuseKeyOnRenewal to false.

https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates