Skip to main content
Skyhigh Security

Using Private Keys from an Azure Key Vault

You can use private keys stored in an Azure Key Vault for certificates that are required to enable cloud communication with clients over SSL-secured connections.

Azure Key Vault is a device for storing private keys. These keys can be used in a hybrid environment where you are working with both Secure Web Gateway and Secure Web Gateway Cloud Service to protect your network against threats arising from the web.

An instance of an Azure Key Vault with an application for private key handling and the private keys are created on the Azure platform. A certificate that requires a key when a signature is generated to enable its use is imported on Secure Web Gateway.

The certificate is used when Secure Web Gateway Cloud Service controls web access over SSL-secured connections by clients that cloud users of your organization work with. These users do not access the web on-prem, but from outside your local network.
 

Private Key Handling

A private key that is stored in an Azure Key Vault does not become embedded in any settings that are maintained on Secure Web Gateway.

When a private key is needed for a certificate, Secure Web Gateway submits an application ID, tenant ID, key ID, and a password to obtain a token for access to the Azure Key Vault instance that has been set up to store private keys for use by Secure Web Gateway and Secure Web Gateway Cloud Service.

After receiving the token, Secure Web Gateway sends an HTTPS request to obtain the private key data for generating the signature that is required to make use of the certificate.

Monitoring Private Key Handling

The dashboard on Secure Web Gateway shows the number of private key operations and their average duration as seen from Secure Web Gateway. The dashboard on Azure has a similar view.

There are no error log entries written to record failures of private key operations, but the response that Secure Web Gateway sends to the client contains an error string, which is mainly extracted from the response that Secure Web Gateway receives from Azure.

You can also use the testKeyVault.sh script and run connection traces for troubleshooting.

Create an Azure Key Vault and a Private Key

Create an Azure Key Vault to store private keys for use with SSL certificates that protect network connections.

Complete the usual steps for creating these items on the Azure portal and provide suitable values for the options of each step to enable use of the private keys by Secure Web Gateway.

  1. Log on to the Azure portal.
  2. Register an application for private key handling.
    1. On the portal, navigate to Azure Active Directory | App registrations.
    2. Select suitable values on the registration page to register an application.
      When the application has been registered, note down its Application ID and Tenant ID (Directory ID).
    3. Add an API permission to allow the application full access to the Azure Key Vault service.
    4. Set a client secret for the application, which is a password that is required when Secure Web Gateway completes private key operations.
  3. Create an Azure Key Vault.
    The name for this key vault might be, for example, skyhighdoc.
  4. Generate a private key.
    1. Select RSA as the key type and generate the private key.
      When the private key has been generated, note down its Key ID, which is a URL.
    2. Select Sign and Verify as operations that are permitted when using the private key.
    3. Add an access policy for the private key with these parameters.
      • Get, Sign and Verify as key permissions.
      • The application that you registered in step 2 as principal application.

An Azure Key Vault is now available for storing private keys and using their data for certificate handling on Secure Web Gateway.

Configure Use of a Private Key from an Azure Key Vault

To configure use of a private certificate key that is stored in an Azure Key Vault, provide settings for the module that handles communication with Secure Web Gateway clients over an SSL-secured connection.

To provide these settings you import a certificate with the private key assigned to it.

  1. Select Policy | Settings.
  2. On the Engines branch of the settings tree, expand SSL Client Context with CA,, then select the Default CA settings.
  3. Import a certificate with a private key from an Azure Key Vault assigned to it.
    1. Under Define SSL Client Context, click Import next to Certificate Authority.
    2. In the window that opens, click Browse next to Certificate, and locate a certificate file.
    3. Under Private key source, select Azure Vault .
    4. Fill these input fields with the values you noted down when setting up the Azure Key Vault with the private key.
      • App ID
      • Tenant ID
      • Key ID
    5. Under Password, enter the password that you set when creating an Azure Key Vault with a private key.
    6. Click Import.

The certificate is imported. Its key ID and other properties are shown in the settings pane.

  1. Click Save Changes.

A private key is now available in an Azure Key Vault for use with an SSL certificate.

  • Was this article helpful?