BYOK for Microsoft Azure
Microsoft Azure provides various services such as computing, networking, and storage over cloud. Azure allows users to bring their own keys to be used for the services. The imported keys are referred as tenant keys. The tenant keys are stored in the Azure Key Vault. For more information on Microsoft Azure, refer to the relevant documents available over the Internet.
Prerequisites
To use BYOK for Microsoft ensure that:
- CADP for Java is installed and configured. Refer to Quick start for detailed installation instructions and Configuration Parameters for configuration details. 
- A javac compiler exits in the path. 
- Any of the supported Java version is installed on your machine. Refer to General system architecture for details. 
- A Key Vault must be created before importing the certificate. 
The high-level steps involved in using BYOK for Microsoft Azure with CADP for Java are:
- Generating a RSA key or an EC key on Key Manager. 
- Generating the PKCS#12 certificate with .pfx extension using the SelfSignedCertificateUtility. 
- Importing the certificate (containing both public and private keys) to the Azure Key Vault. 
Create RSA/EC Key
Refer to Create a key for detailed instructions.
Generate PKCS#12 Certificate
- Update the details.properties file with the certificate attributes. This file is available on github. If the attributes are not set, the certificate is created using the default values in the - details.propertiesfile. The following table explains the attributes.- Input Parameter - Description - Validity - Validity of the certificate in days. Default value is 365. - KeyUsage - Defines the usage of the certificate being generated. 
 Valid values are:
 — digitalSignature
 — nonRepudiation
 — keyEncipherment
 — dataEncipherment
 — keyAgreement
 — keyCertSign
 — cRLSign
 — encipherOnly
 — decipherOnly
 Default values are keyEncipherment and digitalSignature.- Algorithm - Algorithm that will be used to sign the certificate being generated. 
 Valid values are:
 — SHA1WithRSA
 — SHA256WithRSA
 — SHA384WithRSA
 — SHA512WithRSA
 — SHA1WithECDSA
 — SHA224WithECDSA
 — SHA256WithECDSA
 — SHA384WithECDSA
 — SHA512WithECDSA
 Default value is SHA1WithRSA.- CommonName - Common name for the certificate. Default value is TestUser. - CountryName - Country code used for the certificate. Default value is IN. - Destination - Directory, including the certificate file name, where the certificate is to be generated. If this attribute is not specified, the certificate is created with the name SignedCertificate.pfx and is stored in the current working directory. - CertPassword - Password for the certificate. The default value is changeit. It is an optional attribute. Note: While running the SelfSignedCertificateUtility command, if the certPassword attribute’s value is specified in the command line interface, it overrides the value specified in the details.properties file. - Email - E-mail ID of the certificate. It is an optional attribute. - Location - Location of certificate. It is an optional attribute. - OrganizationName - Name of the organization of the certificate. It is an optional attribute. - OrganizationUnitName - Name of the unit of the certificate. It is an optional attribute. - StateName - Name of the state of the certificate. It is an optional attribute. 
- Execute - SelfSignedCertificateUtility. This sample is available on github.- Usage - java SelfSignedCertificateUtility [-user ksUserName] [-password ksPassword] -key rsaOrECCKeyName -file details.properties [-certPass certPassword]- The following table describes the input parameters: - Parameter - Description - user - Name of the user on Key Manager. It is an optional parameter. - password - Password of the user name on Key Manager. The following special characters * ‘ “ and - key - Name of the RSA or EC key created on Key Manager. - file - The - details.propertiesfile containing the certificate attributes.- certPass - Password for the certificate to be generated. It is an optional parameter. This value of this parameter overrides the value set in the - details.propertiesfile
Example
For example, successful execution of the following command generates the self-signed certificate named SignedCertificate.pfx.
java SelfSignedCertificateUtility -user kmuser -password kmpassword -key KMKey -file details.properties
Import a PKCS#12 Certificate
To import PKCS#12 Certificate in .pfx format to Microsoft Azure, follow these steps:
- Log on to the Microsoft Azure account. 
- Click All services, in the search box, enter Key vault. A page with list of existing key vaults is displayed. If the key vault doesn’t exist, create a key vault. 
- Under the Name column, click the key vault name link and then from the SETTINGS list, click Keys. The existing keys in the key vault are listed.  
- Click +Generate/Import. The Create a key page is displayed to upload the PKCS#12 certificate.  
- Enter the certificate details as described in the following table: - Input Parameter - Description - Options - Select the Upload option. - File Upload - Browse and select the certificate to be uploaded. It is a mandatory field. - Password - Provide the password for the certificate as specified during the certificate generation. It is a mandatory field. 
 Note: The password is specified in the details.properties file or while using SelfSignedCertificateUtility to generate the certificate.- Name - Specify a name for the certificate to be uploaded. The certificate will be listed in the key vault with this name. It is a mandatory field. - Set activation/expiration date - Select the options as required, and set the activation/expiration date. It is an optional field. - Enabled - Yes option is selected by default. Select No, if required. 
- Click Create. The certificate is uploaded and listed in the key vault.  - The screen also displays a message about the successful creation of the certificate-key.