Certificate Management using Azure Key Vault and Azure Az PowerShell module

Digital certificates signed by an internal Certification Authority (CA) or by external Certification Authority (CA) are being managed by different teams in an organisation. It is the responsibility of the Certificate Issuing team to ensure that the Application teams using the certificate are made aware of an upcoming certificate expiry. However the fact is that certificates are rarely caught before they expire leading to unexpected downtime and outages OR all teams are in a manic rush to renew the certificate and apply/test the new certificate with just days to spare prior to the expiry.

Rather than being reactive one can be proactive about this task by using Azure Key Vault. No matter which team issues the certificates, the central IT Platforms team can a upload all digital certificates issued by both internal CA or external CA into Key Vault along with tags to help them identify which team issued the certificate, which teams are using the certificate etc. Then they can run a single PowerShell command to get the list of certificates that are about to expire and can initiate the certificate renewal process to be actioned by relevant teams.

The commands below show how one can enrol or import any certificate in a key vault in Azure Key Vault. Then you can easily find the list of certificates that are due expire before a pre-set date. And take steps to inform the users that the certificate will be renewed and that they will need to make changes to use those new certificates and schedule in some smoke tests post certificate renewal.

Import an Existing Digital Certificate to Azure Key Vault

For a certificate import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX. Although there are PEM files with only the public portion, Key Vault requires and accepts only a PEM or PFX file with a private key.

I have assumed that you already created an Azure Key Vault called "kvMyCertificateStore" in your subscription; and that you have logged into PowerShell and are able to view resources in your subscription. See Notes below links to the PowerShell version I am using and links to the Azure cmdlets documentation.
All set, lets get going.....

The code snippet below shows you how to import one PFX file called myCertificate.pfx from your local machine and import it into the vault. I have set a friendly name for this certificate so that it is easy to recognise from the Azure Portal or when accessed later. I have also set some tags so that I know who to reach out to later when the certificate is due for renewal - This is an optional property.

$certificateFilePath = "D:\myCertificate.pfx"

$certificatePassword = ConvertTo-SecureString -String "YourCertificateP@ssw0rdGoesHere" -AsPlainText -Force

$certificateFriendlyName = "mySelfSignedCertificateDecember2020"

$certificateTag = @{Application_Owner_EmailAddress = "blah@blah.com"; Application_Name = "myApplicationBlah"; Business_Unit = "Department 1"}

$certificateKeyVault = "kvMyCertificateStore"

Import-AzKeyVaultCertificate -VaultName $certificateKeyVault -Name $certificateFriendlyName -FilePath $certificateFilePath -Password $certificatePassword -Tag $certificateTag

Retrieve list of ALL Digital Certificates in the Key Vault

The command below will get you the list of all certificates in a specific key vault.

$myCertificates = Get-AzKeyVaultCertificate -VaultName $certificateKeyVault

Retrieve list of Digital Certificates from the Key Vault that are due to expire in pre-set number of days

The commands retrieve the list of enabled certificates in the Azure Key Vault where the expiry date is less than or equal to 90 days. I have formatted the output in table format and made use of the tags we had added when we imported/added the certificate to the vault.

$certificateExpirationDaysReminder = 90

@($myCertificates).Where({($_.Enabled -eq 'True') -and (({NEW-TIMESPAN –Start {Get-Date} -End $_.expires}).Days -le $certificateExpirationDaysReminder)}) | Format-Table -Property Name, Expires, VaultName, Tags


  • The commands shown below use the newer Az PowerShell module which is the replacement of AzureRM module. I am also using PowerShell 7. See notes on how to install here.
  • To take this even further and completely automate the process, you can configure Azure Logic Apps to find the list of certifcates and email the team that manages the certificates issue/renewals. So now you have full control over the reminder process and will then have to renew the certificates once you get sign-off from your Application teams.
  • However if you prefer to automate the complete reminder and renewal process then an alternative solution is to update lifecycle attributes of certificates and then configuring certificate auto-rotation in the Key Vault as documented here.
  • Refer to MS documentation on Azure Az PowerShell module over here
  • Refer to MS documentation on Azure Key Vault - Overview and Setup over here
  • Refer to MS documentation on Azure Key Vault Cmdlets over here