Creating an Azure Key Vault Crypto Token in EJBCA

To create an Azure Key Vault Crypto Token in EJBCA, do the following:

  1. In the EJBCA Admin Interface, click Crypto Tokens. For detailed information on CryptoTokens, refer the EJBCA Documentation Crypto Token Overview.
  2. Click Create new and specify the following:
    1. Enter a Name for the Crypto Token. In this example we will create a Crypto Token for a Root CA and use the value "EJBCA Root Crypto Token".
    2. For Type, select Azure Key Vault.
    3. For the Authentication Code, use the value displayed when creating the secret in the Active Directory App Registration. This should have been stored in a password vault.
    4. Since you are creating a Root CA Crypto Token, do not enable Auto-activation. If creating a Issuing CA Crypto Token, then select Auto-activation. 
    5. Under Key Vault Type, choose Premium.
    6. Enter the Key Vault Name as chosen when creating the Azure Key Vault. In this example, our Key Vault name is EJBCARootKeyVault.
    7. Enter the Key Vault Client ID as noted when creating the App Registration (under the Overview details).
  3. Click Save and confirm that a notification about the successfully created crypto token is displayed.

NOTE Azure limits the keys to the following types:

Key AlgorithmKey Specification
RSA2048
RSA3072
RSA4096
ECCP-256 / prime256v1 / secp256r1
ECCP-384 / secp384r1
ECCP-521 / secp521r1