- Create an Azure Key Vault Connection
- Ensure your network security policies allow incoming requests from Infisical to this certificate sync provider, if network restrictions apply.
The Azure Key Vault Certificate Sync requires the following certificate permissions to be set on the user / service principal
for Infisical to sync certificates to Azure Key Vault:
certificates/list, certificates/get, certificates/import, certificates/delete.Any role with these permissions would work such as the Key Vault Certificates Officer role.Certificates synced to Azure Key Vault will be stored as certificate objects,
preserving both the certificate and private key components.
- Infisical UI
- API
-
Navigate to Project > Integrations > Certificate Syncs and press Add Sync.
-
Select the Azure Key Vault option.
-
Configure the Destination to where certificates should be deployed, then click Next.
- Azure Connection: The Azure Connection to authenticate with.
- Vault Base URL: The URL of your Azure Key Vault.
-
Configure the Sync Options to specify how certificates should be synced, then click Next.
- Enable Removal of Expired/Revoked Certificates: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
- Enable Versioning on Renewal: If enabled, Infisical will sync renewed certificates to the destination under a new version of the original synced certificate instead of creating a new certificate.
- Include Root CA: If enabled, the Root CA certificate will be included in the certificate chain when syncing to Azure Key Vault. If disabled, only intermediate certificates will be included.
- Certificate Name Schema (Optional): Customize how certificate names are generated in Azure Key Vault. Use
{{certificateId}}as a placeholder for the certificate ID. If not specified, defaults toInfisical-{{certificateId}}. - Auto-Sync Enabled: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
-
Configure the Details of your Azure Key Vault Certificate Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
-
Select which certificates should be synced to Azure Key Vault.
-
Review your Azure Key Vault Certificate Sync configuration, then click Create Sync.
-
If enabled, your Azure Key Vault Certificate Sync will begin syncing your certificates to the destination endpoint.
Certificate Management
Your Azure Key Vault Certificate Sync will:- Automatic Deployment: Deploy certificates in Infisical to Azure Key Vault.
- Certificate Updates: Update certificates in Azure Key Vault when renewals occur
- Expiration Handling: Optionally remove expired certificates from Azure Key Vault (if enabled)
- Format Preservation: Maintain certificate format and metadata during sync operations
Azure Key Vault Certificate Syncs support both automatic and manual
synchronization modes. When auto-sync is enabled, certificates are
automatically deployed as they are issued or renewed.
Manual Certificate Sync
You can manually trigger certificate synchronization to Azure Key Vault using the sync certificates functionality. This is useful for:- Initial setup when you have existing certificates to deploy
- One-time sync of specific certificates
- Testing certificate sync configurations
- Force sync after making changes
Azure Key Vault does not support importing certificates back into Infisical
due to security limitations where private keys cannot be extracted from Azure
Key Vault.