Which two actions should you perform?

You have an Azure key vault named KV1.

You need to ensure that applications can use KV1 to provision certificates automatically from an external certification authority (CA).

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A. From KV1, create a certificate issuer resource.

B. Obtain the CA account credentials.

C. Obtain the root CA certificate.

D. From KV1, create a certificate signing request (CSR).

E. From KV1, create a private key,

View Answer

Answer: C,D

Explanation:

C: Obtain the root CA certificate (step 4 in the picture below)

D: From KV1, create a certificate signing request (CSR) (step 2 in the picture below)

Note:

Creating a certificate with a CA not partnered with Key Vault

This method allows working with other CAs than Key Vault’s partnered providers, meaning your organization can work with a CA of its choice.

The following step descriptions correspond to the green lettered steps in the preceding diagram.

✑ In the diagram above, your application is creating a certificate, which internally begins by creating a key in your key vault.

✑ Key Vault returns to your application a Certificate Signing Request (CSR).

✑ Your application passes the CSR to your chosen CA.

✑ Your chosen CA responds with an X509 Certificate.

✑ Your application completes the new certificate creation with a merger of the X509 Certificate from your CA.

Reference: https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios