- Set up and configure a Certificate Authority
- Create an Azure Key Vault Connection
- Ensure your network security policies allow incoming requests from Infisical to this certificate sync provider, if network restrictions apply.
The Azure Key Vault Certificate Sync requires the following certificate permissions to be set on the user / service principal
for Infisical to sync certificates to Azure Key Vault:
certificates/list
, certificates/get
, certificates/import
, certificates/delete
.Any role with these permissions would work such as the Key Vault Certificates Officer role.Certificates synced to Azure Key Vault will be stored as certificate objects, preserving both the certificate and private key components.
-
Navigate to Project > Integrations and select the Certificate Syncs tab. Click on the Add Sync button.
-
Select the Azure Key Vault option.
-
Configure the Source from where certificates should be retrieved, then click Next.
- PKI Subscriber: The PKI subscriber to retrieve certificates from.
-
Configure the Destination to where certificates should be deployed, then click Next.
- Azure Connection: The Azure Connection to authenticate with.
- Vault Base URL: The URL of your Azure Key Vault.
-
Configure the Sync Options to specify how certificates should be synced, then click Next.
- Auto-Sync Enabled: If enabled, certificates will automatically be synced from the source PKI subscriber when changes occur. Disable to enforce manual syncing only.
- Enable Certificate Removal: If enabled, Infisical will remove expired certificates from the destination during sync operations. Disable this option if you intend to manage certificate cleanup manually.
- Certificate Name Schema (Optional): Customize how certificate names are generated in Azure Key Vault. Use
{{certificateId}}
as a placeholder for the certificate ID. If not specified, defaults toInfisical-{{certificateId}}
.
Azure Key Vault Soft Delete: When certificates are removed from Azure Key Vault, they are placed in a soft-deleted state rather than being permanently deleted. This means:
- Subsequent syncs will not re-add these soft-deleted certificates automatically
- To resync removed certificates, you must either manually purge them from Azure Key Vault or recover them through the Azure portal/CLI
-
Configure the Details of your Azure Key Vault Certificate Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
-
Review your Azure Key Vault Certificate Sync configuration, then click Create Sync.
-
If enabled, your Azure Key Vault Certificate Sync will begin syncing your certificates to the destination endpoint.
Certificate Management
Your Azure Key Vault Certificate Sync will:- Automatic Deployment: Deploy new certificates issued by your PKI subscriber to Azure Key Vault
- Certificate Updates: Update certificates in Azure Key Vault when renewals occur
- Expiration Handling: Optionally remove expired certificates from Azure Key Vault (if enabled)
- Format Preservation: Maintain certificate format and metadata during sync operations
Azure Key Vault Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.
Manual Certificate Sync
You can manually trigger certificate synchronization from your PKI subscriber to Azure Key Vault using the sync certificates functionality. This is useful for:- Initial setup when you have existing certificates to deploy
- One-time sync of specific certificates
- Testing certificate sync configurations
- Force sync after making changes
Azure Key Vault does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from Azure Key Vault.