Merge pull request #111842 from sebansal/docs-working-branch3

shawnmariejones · web-flow · commit 9236b189e92e · 2020-04-23T08:27:51.000-07:00
adding changes to certificate tutorials
diff --git a/articles/key-vault/certificates/toc.yml b/articles/key-vault/certificates/toc.yml
@@ -22,6 +22,8 @@
   items:
   - name: Import a certificate
     href: tutorial-import-certificate.md
+  - name: Configure certificate rotation
+    href: tutorial-rotate-certificates.md
 - name: Concepts 
   items:
   - name: Get started with Key Vault certificates
diff --git a/articles/key-vault/certificates/tutorial-import-certificate.md b/articles/key-vault/certificates/tutorial-import-certificate.md
@@ -10,7 +10,7 @@ ms.service: key-vault
 ms.subservice: certificates
 ms.topic: tutorial
 ms.custom: mvc
-ms.date: 04/03/2020
+ms.date: 04/16/2020
 ms.author: sebansal
 #Customer intent:As a security admin who is new to Azure, I want to use Key Vault to securely store certificates in Azure
 ---
@@ -72,18 +72,21 @@ To import a certificate to the vault, you need to have a PEM or PFX certificate
     - **Method of Certificate Creation**: Import.
     - **Certificate Name**: ExampleCertificate.
     - **Upload Certificate File**: select the certificate file from disk
-    - Leave the other values to their defaults. Click **Create**.
+    - **Password** : If you are uploading a password protected certificate file, provide that password here. Otherwise, leave it blank. Once the certificate file is successfully imported, key vault will remove that password.
+4. Click **Create**.
 
 ![Certificate properties](../media/certificates/tutorial-import-cert/cert-import.png)
 
-Once that you receive the message that the certificate has been successfully imported, you may click on it on the list. You can then see some of its properties. 
+By adding a certificate using **Import** method, Azure Key vault will automatically populate certificate parameters (i.e. validity period, Issuer name, activation date etc.).
+
+Once you receive the message that the certificate has been successfully imported, you may click on it on the list to view its properties. 
 
 ![Certificate properties](../media/certificates/tutorial-import-cert/current-version-hidden.png)
 
 ## Import a certificate using Azure CLI
 
 Import a certificate into a specified key vault. To 
-import an existing valid certificate, containing a private key, into Azure Key Vault, the file to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.
+import an existing valid certificate, containing a private key, into Azure Key Vault, the file to be imported can be in either PFX or PEM format. If the certificate is in PEM format, the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.
 
 ```azurecli
 az keyvault certificate import --file
@@ -98,6 +101,22 @@ az keyvault certificate import --file
 ```
 Learn more about the parameters [here](https://docs.microsoft.com/cli/azure/keyvault/certificate?view=azure-cli-latest#az-keyvault-certificate-import)
 
+After importing the certificate, you can view the certificate using [Certificate show](https://docs.microsoft.com/cli/azure/keyvault/certificate?view=azure-cli-latest#az-keyvault-certificate-show)
+
+
+```azurecli
+az keyvault certificate show [--id]
+                             [--name]
+                             [--only-show-errors]
+                             [--subscription]
+                             [--vault-name]
+                             [--version]
+```
+
+
+
+Now, you have created a Key vault, imported a certificate and viewed Certificate's properties.
+
 ## Clean up resources
 
 Other Key Vault quickstarts and tutorials build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.
@@ -112,6 +131,6 @@ When no longer needed, delete the resource group, which deletes the Key Vault an
 
 In this tutorial, you created a Key Vault and imported a certificate in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.
 
-- Read more about [Managing certificates in Azure Key Vault](/archive/blogs/kv/manage-certificates-via-azure-key-vault)
+- Read more about [Managing certificate creation in Azure Key Vault](https://docs.microsoft.com/azure/key-vault/certificates/create-certificate-scenarios)
 - See examples of [Importing Certificates Using REST APIs](/rest/api/keyvault/importcertificate/importcertificate)
 - Review [Azure Key Vault best practices](../general/best-practices.md)
diff --git a/articles/key-vault/certificates/tutorial-rotate-certificates.md b/articles/key-vault/certificates/tutorial-rotate-certificates.md
@@ -0,0 +1,150 @@
+---
+title: Tutorial - Updating certificate's auto-rotation frequency in Key Vault | Microsoft Docs
+description: Tutorial showing how to update a certificate's auto-rotation frequency in Azure Key Vault using the Azure portal
+services: key-vault
+author: msmbaldwin
+manager: rkarlin
+tags: azure-resource-manager
+
+ms.service: key-vault
+ms.subservice: certificates
+ms.topic: tutorial
+ms.custom: mvc
+ms.date: 04/16/2020
+ms.author: sebansal
+#Customer intent:As a security admin who is new to Azure, I want to use Key Vault to securely store certificates in Azure
+---
+# Tutorial: Configuring certificate's auto-rotation in Key Vault
+
+Azure Key Vault lets you easily provision, manage, and deploy digital certificates. They could be public and private SSL/TLS certificates signed by Certificate Authority or a self-signed certificate. Key Vault can also request and renew certificates through partnerships with certificate authorities, providing a robust solution for certificate life cycle management. In this tutorial, you will update certificate's attributes - validity period, auto-rotation frequency, CA. For more information on Key Vault, review the [Overview](../general/overview.md).
+
+The tutorial shows you how to:
+
+> [!div class="checklist"]
+> * Manage a certificate using Azure portal
+> * Add Certificate Authority provider Account
+> * Update certificate's validity period
+> * Update certificate's auto-rotation frequency
+> * Update certificate's attributes using Azure Powershell
+
+
+Before you begin, read [Key Vault basic concepts](../general/basic-concepts.md). 
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+## Sign in to Azure
+
+Sign in to the Azure portal at https://portal.azure.com.
+
+## Create a vault
+
+Create or select your existing Key Vault to  perform operations. [(Steps to create a Key vault).](../quick-create-portal.md) In the example, the Vault name is **Example-Vault**. 
+
+![Output after Key Vault creation completes](../media/certificates/tutorial-import-cert/vault-properties.png)
+
+## Create a certificate in Key Vault
+
+Create or import a certificate in the vault. [(Steps to create certificate in Key vault).](../quick-create-portal.md) In this case, we work on certificate called **ExampleCertificate**.
+
+> [!NOTE]
+> In Azure Key Vault, a certificate's life cycle attributes can be updated both at the time of certificate's creation as well as after it has been created. 
+## Updating Certificate's life cycle attributes
+
+A certificate created in the Key Vault can be 
+- a self-signed certificate
+- a certificate created with a Certificate Authority (CA) that is partnered with Key Vault
+- a certificate with a Certificate Authority that is not partnered with Key Vault
+
+The following Certificate Authorities are currently partnered providers with Key Vault:
+- DigiCert - Key Vault offers OV TLS/SSL certificates with DigiCert.
+- GlobalSign - Key Vault offers OV TLS/SSL certificates with GlobalSign.
+
+Azure Key Vault auto-rotates certificates through partnerships with certificate authorities. Through that established partnership, Key Vault automatically requests and renews certificates. Therefore, **auto-rotation capability is not applicable for certificates created with CAs that are not partnered with Key Vault.** 
+
+> [!NOTE]
+> An account admin for a CA provider creates credentials to be used by Key Vault to create, renew, and use TLS/SSL certificates via Key Vault.
+![Certificate authority](../media/certificates/tutorial-rotate-cert/cert-authority-create.png)
+> 
+
+
+### Updating Certificate's life cycle attributes at the time of Certificate creation
+
+1. On the Key Vault properties pages, select **Certificates**.
+2. Click on **Generate/Import**.
+3. On the **Create a certificate** screen update the following values:
+    
+
+    - **Validity Period**: Enter the value (in  months). Creating short lived certificates is a recommended security practice. By default validity value of a newly created certificate is 12 months.
+    - **Lifetime Action Type**: Select certificate's auto-renewal and alerting action. As per the selection, update 'percentage lifetime' or 'Number of days before expiry'. By default, a certificate's auto-renewal is set at 80% of its lifetime.<br> From the drop down menu, select the option :
+
+    |  Automatically renew at a given time| Email all contacts at a given time |
+    |-----------|------|
+    |Selecting this option will TURN ON autorotation | Selecting this option will NOT auto-rotate, it will only alert the contacts|
+        
+
+
+4. Click on **Create**.
+
+![Certificate Life cycle](../media/certificates/tutorial-rotate-cert/create-cert-lifecycle.png)
+
+### Updating Life cycle attributes of stored certificate
+
+1. Select the Key Vault.
+2. On the Key Vault properties pages, select **Certificates**.
+3. Select the certificate that you wish to update. In this case, we will work on certificate called **ExampleCertificate**.
+4. Select **Issuance Policy** from the top menu bar.
+
+![Certificate properties](../media/certificates/tutorial-rotate-cert/cert-issuance-policy.png)
+5. On the **Issuance Policy** screen, update the following values:
+- **Validity Period**: Update the value (in  months)
+- **Lifetime Action Type**: Select certificate's auto-renewal and alerting action. As per the selection, update the 'percentage lifetime' or 'Number of days before expiry'. 
+
+![Certificate properties](../media/certificates/tutorial-rotate-cert/cert-policy-change.png)
+6. Click on **Save**.
+
+> [!IMPORTANT]
+> Changing the Lifetime Action Type for a certificate will record modifications for the existing certificates immediately.
+
+
+### Updating Certificate's attributes using PowerShell
+
+```azurepowershell
+
+
+Set-AzureKeyVaultCertificatePolicy -VaultName $vaultName 
+                                   -Name $certificateName 
+                                   -RenewAtNumberOfDaysBeforeExpiry [276 or appropriate calculated value]
+```
+
+> [!TIP]
+> To modify renewal policy for a list of certificates, input​ File.csv​ containing
+>  VaultName,CertName ​<br/>
+>  vault1,Cert1​ <br/>
+>  vault2,Cert2​
+>
+>  ```azurepowershell
+>  $file = Import-CSV C:\Users\myfolder\ReadCSVUsingPowershell\File.csv ​
+> foreach($line in $file)​
+> {​
+> Set-AzureKeyVaultCertificatePolicy -VaultName $vaultName -Name $certificateName -RenewAtNumberOfDaysBeforeExpiry [276 or appropriate calculated value]
+> }
+>  ```
+> 
+Learn more about the parameters [here](https://docs.microsoft.com/cli/azure/keyvault/certificate?view=azure-cli-latest#az-keyvault-certificate-set-attributes)
+
+## Clean up resources
+
+Other Key Vault quickstarts and tutorials build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.
+When no longer needed, delete the resource group, which deletes the Key Vault and related resources. To delete the resource group through the portal:
+
+1. Enter the name of your resource group in the Search box at the top of the portal. When you see the resource group used in this quickstart in the search results, select it.
+2. Select **Delete resource group**.
+3. In the **TYPE THE RESOURCE GROUP NAME:** box type in the name of the resource group and select **Delete**.
+
+
+## Next steps
+
+In this tutorial, you updated a certificate's life-cycle. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.
+
+Read more about [Managing certificate creation in Azure Key Vault](https://docs.microsoft.com/azure/key-vault/certificates/create-certificate-scenarios)
+- Review the [Key Vault Overview](../general/overview.md)
