Built for Azure Key Vault
The pre-built Key Vault deployment template ships in your CertKit account. No scripting required.
Application Gateway, App Service, and the rest of Azure consume certificates from Key Vault and follow new versions automatically. The catch is upstream: an imported certificate is a static object, and when it renews, nothing lands in the vault until someone imports the new PFX. Every 47 days. For every certificate you bring to the vault.
CertKit centralizes certificate issuance and renewal, then imports each renewed certificate into your Key Vault via the CertKit Agent as a new version under the same name. Everything bound to the vault rolls over on its own.
The pre-built Key Vault deployment template ships in your CertKit account. No scripting required.
The CertKit Agent signs in with a scoped service principal, non-interactively, and imports the renewed PFX under the certificate name you chose. Key Vault versions it, and every service bound to that certificate picks up the new version without a manual step. The PFX password handling is automatic.
The pre-built Key Vault template ships with your CertKit account. Set the vault and certificate name once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
az keyvault certificate import from
the CLI.
Every one of these steps is manual, and Key Vault won't repeat any of them for an imported certificate. With lifetimes shrinking to 47 days, the import stops being an annual chore and becomes a recurring task: eight times a year, per certificate, per vault. Miss one and the Application Gateway behind it serves an expired certificate.
At 47 days, automation is the only sustainable way to keep imported certificates current. Here's how CertKit does it.
Your network CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ ┌─────────────┐ │ │ │ │ │ │ │Deploy Agent │◄─┼─────┤ Issue & Renew │◄──►│ │ │ └──────┬──────┘ │ │ Certificates │ │ │ │ │ Az API │ │ ┌───┐ └─────────────┘ │ ▼ │ └───────────┬────│DNS│ │ ┌──────────────┐ │ │ └───┘ │ │ Key Vault │ │ │ │ │ [x] Imported │ │ │ │ │ App Gateway │ │ ◄───────────────┘ │ │ [x] Rolled │ │ Verify │ └──────────────┘ │ └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. The agent runs on any Windows host and signs in to Azure with a service principal scoped to importing certificates into the target vault. No DNS credentials in Azure, no ACME configuration anywhere.
CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.
Ben Story, Managed Services Director, RedEye Network Solutions
Key Vault can generate and auto-renew certificates, but only through its integrated CA partners, with per-certificate fees and a separate CA account to manage. Every other certificate, including anything from a free ACME CA, enters the vault as an import, and imports are static. Azure will happily email you that one is about to expire. It won't renew it.
CertKit closes that gap: it issues free ACME certificates via delegated DNS validation, renews them on schedule, and re-imports each renewal as a new version, so the vault's distribution machinery keeps working without the integrated CA pricing. The same renewed certificate can also deploy to the non-Azure half of your infrastructure from the same account.
Most environments have more than one place where certificates live: IIS and Exchange on-premises, Kubernetes clusters, and the appliances in between. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.