We have a master key vault which should contain the certificates to authenticate to certain service principals (1 SP per environment). These service principals have access to their personal Key Vault. We used secrets to store the certificates. However it seems like 'keys' are a better fit to store certificates, because keys can generate certificate by themself. Is that correct?
For now, our VSTS service principal deploys an ARM template, and puts the correct certificate in the certificate store of the web app service. This certificate is then used to authenticate the application as the SP and allow it to retrieve the secrets from the SP personals Key vault.
I was able to add the certificate (as secret) like this:
{
"type":"Microsoft.Web/certificates",
"name":"testCertificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxxx/resourceGroups/rg/providers/Microsoft.KeyVault/vaults/xxxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test1')]"
}
Is it possible to add the certificate via a 'key' instead of a 'secret'? How can I map the key with the ARM template?
