Azure Key Vault

Store certificates in Azure Key Vault as certificate objects. Certificates synced to Key Vault can be used with Azure App Service, Application Gateway, and other Azure services.

Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Key Vault destination.

Prerequisites

An Azure Key Vault Connection with the following permissions:
- certificates/list
- certificates/get
- certificates/import
- certificates/delete

The Key Vault Certificates Officer role includes all required permissions.

Create a Key Vault Sync

Infisical UI
API

In your Application, go to the Certificate Syncs tab and click Create Sync.
Select the Azure Key Vault option.
Configure the Destination:
- Azure Connection: The Azure Connection to authenticate with.
- Vault Base URL: The URL of your Azure Key Vault.
Configure the Sync Options:
- Enable Removal of Expired/Revoked Certificates: Remove certificates from the destination if they are no longer active.
- Enable Versioning on Renewal: Create a new version of the certificate on renewal instead of a new certificate.
- Include Root CA: Include the Root CA certificate in the chain.
- Certificate Name Schema: Customize certificate names using {{certificateId}} placeholder.
- Auto-Sync Enabled: Automatically sync certificates when changes occur.

Soft Delete: Removed certificates are soft-deleted. To resync them, you must purge or recover them in Azure.

Configure the Details:
- Name: The name of your sync (slug-friendly).
- Description: Optional description.
Select which certificates should be synced.
Review and click Create Sync.

To create an Azure Key Vault Certificate Sync, make an API request to the Create Azure Key Vault Certificate Sync API endpoint.

Sample request

You can optionally specify certificateIds during sync creation to immediately add certificates to the sync. If not provided, you can add certificates later using the certificate management endpoints.

Request

curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/azure-key-vault \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-key-vault-cert-sync",
    "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "description": "an example certificate sync",
    "connectionId": "550e8400-e29b-41d4-a716-446655440000",
    "destination": "azure-key-vault",
    "isAutoSyncEnabled": true,
    "certificateIds": [
        "550e8400-e29b-41d4-a716-446655440000",
        "660f1234-e29b-41d4-a716-446655440001"
    ],
    "syncOptions": {
        "canRemoveCertificates": true,
        "enableVersioningOnRenewal": true,
        "includeRootCa": false,
        "certificateNameSchema": "myapp-{{certificateId}}"
    },
    "destinationConfig": {
        "vaultBaseUrl": "https://my-key-vault.vault.azure.net"
    }
}'

Sample response

Response

{
    "pkiSync": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-key-vault-cert-sync",
        "description": "an example certificate sync",
        "destination": "azure-key-vault",
        "isAutoSyncEnabled": true,
        "destinationConfig": {
            "vaultBaseUrl": "https://my-key-vault.vault.azure.net"
        },
        "syncOptions": {
            "canRemoveCertificates": true,
            "enableVersioningOnRenewal": true,
            "includeRootCa": false,
            "certificateNameSchema": "myapp-{{certificateId}}"
        },
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "createdAt": "2023-01-01T00:00:00.000Z",
        "updatedAt": "2023-01-01T00:00:00.000Z"
    }
}

Certificate Management

The Azure Key Vault Certificate Sync provides:

Automatic Deployment: Deploy certificates in Infisical to Azure Key Vault.
Certificate Updates: Update certificates in Azure Key Vault when renewals occur.
Expiration Handling: Optionally remove expired certificates from Azure Key Vault (if enabled).
Format Preservation: Maintain certificate format and metadata during sync operations.

Azure Key Vault Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.

Manual Certificate Sync

You can manually trigger certificate synchronization to Azure Key Vault using the sync certificates functionality. This is useful for:

Initial setup when you have existing certificates to deploy
One-time sync of specific certificates
Testing certificate sync configurations
Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

FAQ

Can I import certificates from Azure Key Vault back into Infisical?

Azure Key Vault does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from Azure Key Vault.

What’s Next?

AWS Certificate Manager

Import certificates into ACM for AWS services.

Auto-Renewal

Enable automatic certificate renewal and syncing.

Alerting

Get notified about certificate lifecycle events.

Other Sync Destinations

View all supported sync destinations.

Certificate Management

Product Reference

Reference

Prerequisites

Create a Key Vault Sync

Sample request

Sample response

Certificate Management

Manual Certificate Sync

FAQ

What’s Next?

AWS Certificate Manager

Auto-Renewal

Alerting

Other Sync Destinations

Certificate Management

Product Reference

Reference

Documentation Index

​Prerequisites

​Create a Key Vault Sync

​Sample request

​Sample response

​Certificate Management

​Manual Certificate Sync

​FAQ

​What’s Next?

AWS Certificate Manager

Auto-Renewal

Alerting

Other Sync Destinations

Prerequisites

Create a Key Vault Sync

Sample request

Sample response

Certificate Management

Manual Certificate Sync

FAQ

What’s Next?