Amplia - Azure Key Vault key stores

Azure Key Vault can be though of as a cloud HSM. Keys are stored on FIPS 140-2 Level 2 validated HSMs for a relatively low cost of ~5 dollars per month per key. This service from Microsoft has enabled the employment of HSMs on projects which otherwise would not have the necessary budget.

Tip

Lacuna Software's cloud-based Amplia instance (SaaS offering) stores all CA keys on Azure Key Vault, and we highly recommend it for instances installed both on the cloud or on local servers.

To configure an Azure Key Vault key store on Amplia, use the following settings:

• Type: AzureKeyVault
• Endpoint: DNS Name of the key vault (shown on tab Overview of key vault) -- e.g.: https://my-pki.vault.azure.net/
• AppId: Application ID to be used to authenticate with Azure
• AppKey: Application secret key to be used to authenticate with Azure (for additional security, omit this value and specify the CertThumb instead)
• CertThumb: thumbprint of the certificate to be used to authenticate with Azure (hex-encoded, as provided by the Azure Portal)
• UseHsm: by default, HSM-protected keys are created. To use "software" keys, set this value to false

Sample configuration:

"KeyStores": {
    ...,
    "MyKeyVault": {
        "Type": "AzureKeyVault",
        "Endpoint": "https://xxx.vault.azure.net/",
        "AppId": "00000000-0000-0000-0000-000000000000",
        "AppKey": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
    },
    ...
}

See also

• Amplia - Key Stores
• Amplia - CAPI Key Stores
• Amplia - CNG Key Stores
• Amplia - PKCS #11 key stores
• Installing Amplia on Windows Server
• Troubleshooting