Merge pull request #111796 from msmbaldwin/akv-restore-about

Restored about keys secrets certs article

Author: megvanhuygen

.openpublishing.redirection.json

@@ -3639,7 +3639,7 @@
     },
    {
       "source_path": "articles/key-vault/about-keys-secrets-and-certificates.md",
-      "redirect_url": "/azure/key-vault",
+      "redirect_url": "/azure/key-vault/general/about-keys-secrets-certificates",
       "redirect_document_id": false
     },
    {

articles/key-vault/certificates/about-certificates.md

@@ -15,49 +15,6 @@ ms.author: mbaldwin
 
 # About Azure Key Vault certificates
 
-Azure Key Vault enables Microsoft Azure applications and users to store and use certificates, which are built on top of keys and secrets and add an automated renewal feature.
-
-For more general information about Key Vault, see [What is Azure Key Vault?](/azure/key-vault/key-vault-overview)
-
-## Azure Key Vault
-
-The following sections offer general information applicable across the implementation of the Key Vault service.
-
-### Supporting standards
-
-The JavaScript Object Notation (JSON) and JavaScript Object Signing and Encryption (JOSE) specifications are important background information.  
-
--   [JSON Web Key (JWK)](https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41)  
--   [JSON Web Encryption (JWE)](https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40)  
--   [JSON Web Algorithms (JWA)](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40)  
--   [JSON Web Signature (JWS)](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41)  
-
-### Objects, identifiers, and versioning
-
-Objects stored in Key Vault are versioned whenever a new instance of an object is created. Each version is assigned a unique identifier and URL. When an object is first created, it's given a unique version identifier and marked as the current version of the object. Creation of a new instance with the same object name gives the new object a unique version identifier, causing it to become the current version.  
-
-Objects in Key Vault can be addressed using the current identifier or a version-specific identifier. For example, given a Key with the name `MasterKey`, performing operations with the current identifier causes the system to use the latest available version. Performing operations with the version-specific identifier causes the system to use that specific version of the object.  
-
-Objects are uniquely identified within Key Vault using a URL. No two objects in the system have the same URL, regardless of geo-location. The complete URL to an object is called the Object Identifier. The URL consists of a prefix that identifies the Key Vault, object type, user provided Object Name, and an Object Version. The Object Name is case-insensitive and immutable. Identifiers that don't include the Object Version are referred to as Base Identifiers.  
-
-For more information, see [Authentication, requests, and responses](../general/authentication-requests-and-responses.md)
-
-An object identifier has the following general format:  
-
-`https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}`  
-
-Where:  
-
-|||  
-|-|-|  
-|`keyvault-name`|The name for a key vault in the Microsoft Azure Key Vault service.<br /><br /> Key Vault names are selected by the user and are globally unique.<br /><br /> Key Vault name must be a 3-24 character string, containing only 0-9, a-z, A-Z, and -.|  
-|`object-type`|The type of the object, either "keys" or "secrets".|  
-|`object-name`|An `object-name` is a user provided name for and must be unique within a Key Vault. The name must be a 1-127 character string, containing only 0-9, a-z, A-Z, and -.|  
-|`object-version`|An `object-version` is a system-generated, 32 character string identifier that is optionally used to address a unique version of an object.|  
-
-
-## Key Vault Certificates
-
 Key Vault certificates support provides for management of your x509 certificates and the following behaviors:  
 
 -   Allows a certificate owner to create a certificate through a Key Vault creation process or through the import of an existing certificate. Includes both self-signed and Certificate Authority generated certificates.
@@ -69,27 +26,27 @@ Key Vault certificates support provides for management of your x509 certificates
 >[!Note]
 >Non-partnered providers/authorities are also allowed but, will not support the auto renewal feature.
 
-### Composition of a Certificate
+## Composition of a Certificate
 
 When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata.  
 
 The identifier and version of certificates is similar to that of keys and secrets. A specific version of an addressable key and secret created with the Key Vault certificate version is available in the Key Vault certificate response.
 
 ![Certificates are complex objects](../media/azure-key-vault.png)
 
-### Exportable or Non-exportable key
+## Exportable or Non-exportable key
 
 When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy used to create the certificate must indicate that the key is exportable. If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret.  
 
 The addressable key becomes more relevant with non-exportable KV certificates. The addressable KV key's operations are mapped from *keyusage* field of the KV certificate policy used to create the KV Certificate.  
 
 Two types of key are supported – *RSA* or *RSA HSM* with certificates. Exportable is only allowed with RSA, not supported by RSA HSM.  
 
-### Certificate Attributes and Tags
+## Certificate Attributes and Tags
 
 In addition to certificate metadata, an addressable key and addressable secret, a Key Vault certificate also contains attributes and tags.  
 
-#### Attributes
+### Attributes
 
 The certificate attributes are mirrored to attributes of the addressable key and secret created when KV certificate is created.  
 
@@ -107,14 +64,14 @@ There are additional read-only attributes that are included in response:
 > [!Note] 
 > If a Key Vault certificate expires, it's addressable key and secret become inoperable.  
 
-#### Tags
+### Tags
 
  Client specified dictionary of key value pairs, similar to tags in keys and secrets.  
 
  > [!Note]
 > Tags are readable by a caller if they have the *list* or *get* permission to that object type (keys, secrets, or certificates).
 
-### Certificate policy
+## Certificate policy
 
 A certificate policy contains information on how to create and manage lifecycle of a Key Vault certificate. When a certificate with private key is imported into the key vault, a default policy is created by reading the x509 certificate.  
 
@@ -134,7 +91,7 @@ At a high level, a certificate policy contains the following information:
 -   Issuer: Parameters about the certificate issuer to use to issue x509 certificates.  
 -   Policy Attributes: contains attributes associated with the policy  
 
-#### X509 to Key Vault usage mapping
+### X509 to Key Vault usage mapping
 
 The following table represents the mapping of x509 key usage policy to effective key operations of a key created as part of a Key Vault certificate creation.
 
@@ -149,7 +106,7 @@ The following table represents the mapping of x509 key usage policy to effective
 |NonRepudiation|sign, verify| N/A |
 |crlsign|sign, verify| N/A |
 
-### Certificate Issuer
+## Certificate Issuer
 
 A Key Vault certificate object holds a configuration used to communicate with a selected certificate issuer provider to order x509 certificates.  
 
@@ -176,7 +133,7 @@ Key Vault allows for creation of multiple issuer objects with different issuer p
 
 Issuer objects are created in the vault and can only be used with KV certificates in the same vault.  
 
-### Certificate contacts
+## Certificate contacts
 
 Certificate contacts contain contact information to send notifications triggered by certificate lifetime events. The contacts information is shared by all the certificates in the key vault. A notification is sent to all the specified contacts for an event for any certificate in the key vault.  
 
@@ -187,7 +144,7 @@ If a certificate's policy is set to auto renewal, then a notification is sent on
 
   When a certificate policy that is set to be manually renewed (email only), a notification is sent when it's time to renew the certificate.  
 
-### Certificate Access Control
+## Certificate Access Control
 
  Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.  
 
@@ -215,7 +172,11 @@ If a certificate's policy is set to auto renewal, then a notification is sent on
 
 For more information, see the [Certificate operations in the Key Vault REST API reference](/rest/api/keyvault). For information on establishing permissions, see [Vaults - Create or Update](/rest/api/keyvault/vaults/createorupdate) and [Vaults - Update Access Policy](/rest/api/keyvault/vaults/updateaccesspolicy).
 
-## See Also
+## Next steps
 
+- [About Key Vault](../general/overview.md)
+- [About keys, secrets, and certificates](../general/about-keys-secrets-certificates.md)
+- [About keys](../keys/about-keys.md)
+- [About secrets](../secrets/about-secrets.md)
 - [Authentication, requests, and responses](../general/authentication-requests-and-responses.md)
-- [Key Vault Developer's Guide](../general/developers-guide.md)
+- [Key Vault Developer's Guide](../general/developers-guide.md)

articles/key-vault/general/about-keys-secrets-certificates.md

@@ -0,0 +1,70 @@
+---
+title: About Azure Key Vault keys, secrets and certificates - Azure Key Vault
+description: Overview of Azure Key Vault REST interface and developer details for keys, secrets and certificates.
+services: key-vault
+author: msmbaldwin
+manager: rkarlin
+tags: azure-resource-manager
+
+ms.service: key-vault
+ms.topic: overview
+ms.date: 04/17/2020
+ms.author: mbaldwin
+---
+
+# About keys, secrets, and certificates
+
+Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:
+
+- Cryptographic keys: Supports multiple key types and algorithms, and enables the use of Hardware Security Modules (HSM) for high value keys. For more information, see [About keys](../keys/about-keys.md).
+- Secrets: Provides secure storage of secrets, such as passwords and database connection strings. For more information, see [About secrets](../secrets/about-secrets.md).
+- Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature. For more information, see [About certificates](../certificates/about-certificates.md).
+- Azure Storage: Can manage keys of an Azure Storage account for you. Internally, Key Vault can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys periodically. For more information, see [Manage storage account keys with Key Vault](../secrets/overview-storage-keys.md).
+
+For more general information about Key Vault, see [About Azure Key Vault](overview.md).
+
+## Data types
+
+Refer to the JOSE specifications for relevant data types for keys, encryption, and signing.  
+
+-   **algorithm** - a supported algorithm for a key operation, for example, RSA1_5  
+-   **ciphertext-value** - cipher text octets, encoded using Base64URL  
+-   **digest-value** - the output of a hash algorithm, encoded using Base64URL  
+-   **key-type** - one of the supported key types, for example RSA (Rivest-Shamir-Adleman).  
+-   **plaintext-value** - plaintext octets, encoded using Base64URL  
+-   **signature-value** - output of a signature algorithm, encoded using Base64URL  
+-   **base64URL** - a Base64URL [RFC4648] encoded binary value  
+-   **boolean** - either true or false  
+-   **Identity** - an identity from Azure Active Directory (AAD).  
+-   **IntDate** - a JSON decimal value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC3339 for details regarding date/times, in general and UTC in particular.  
+
+## Objects, identifiers, and versioning
+
+Objects stored in Key Vault are versioned whenever a new instance of an object is created. Each version is assigned a unique identifier and URL. When an object is first created, it's given a unique version identifier and marked as the current version of the object. Creation of a new instance with the same object name gives the new object a unique version identifier, causing it to become the current version.  
+
+Objects in Key Vault can be addressed using the current identifier or a version-specific identifier. For example, given a Key with the name `MasterKey`, performing operations with the current identifier causes the system to use the latest available version. Performing operations with the version-specific identifier causes the system to use that specific version of the object.  
+
+Objects are uniquely identified within Key Vault using a URL. No two objects in the system have the same URL, regardless of geo-location. The complete URL to an object is called the Object Identifier. The URL consists of a prefix that identifies the Key Vault, object type, user provided Object Name, and an Object Version. The Object Name is case-insensitive and immutable. Identifiers that don't include the Object Version are referred to as Base Identifiers.  
+
+For more information, see [Authentication, requests, and responses](authentication-requests-and-responses.md)
+
+An object identifier has the following general format:  
+
+`https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}`  
+
+Where:  
+
+|||  
+|-|-|  
+|`keyvault-name`|The name for a key vault in the Microsoft Azure Key Vault service.<br /><br /> Key Vault names are selected by the user and are globally unique.<br /><br /> Key Vault name must be a 3-24 character string, containing only 0-9, a-z, A-Z, and -.|  
+|`object-type`|The type of the object, "keys",  "secrets", or 'certificates'.|  
+|`object-name`|An `object-name` is a user provided name for and must be unique within a Key Vault. The name must be a 1-127 character string, containing only 0-9, a-z, A-Z, and -.|  
+|`object-version`|An `object-version` is a system-generated, 32 character string identifier that is optionally used to address a unique version of an object.|  
+
+## Next steps
+
+- [About keys](../keys/about-keys.md)
+- [About secrets](../secrets/about-secrets.md)
+- [About certificates](../certificates/about-certificates.md)
+- [Authentication, requests, and responses](../general/authentication-requests-and-responses.md)
+- [Key Vault Developer's Guide](../general/developers-guide.md)

articles/key-vault/general/overview.md

@@ -15,7 +15,7 @@ ms.author: mbaldwin
 #Customer intent: As an IT Pro, Decision maker or developer I am trying to learn what Key Vault is and if it offers anything that could be used in my organization.
 
 ---
-# What is Azure Key Vault?
+# About Azure Key Vault
 
 Azure Key Vault helps solve the following problems:
 
@@ -77,4 +77,7 @@ Key Vault itself can integrate with storage accounts, event hubs, and log analyt
 
 ## Next steps
 
+- Learn more about [keys, secrets, and certificates](about-keys-secrets-certificates.md)
 - [Quickstart: Create an Azure Key Vault using the CLI](../secrets/quick-create-cli.md)
+- [Authentication, requests, and responses](../general/authentication-requests-and-responses.md)
+- [Key Vault Developer's Guide](../general/developers-guide.md)

articles/key-vault/general/toc.yml

@@ -2,8 +2,10 @@
   href: index.yml
 - name: Overview 
   items:
-  - name: What is Azure Key Vault?
+  - name: About Azure Key Vault
     href: overview.md
+  - name: About keys, secrets, and certificates
+    href: about-keys-secrets-certificates.md
 
 - name: Tutorials 
   items: