There are multiple references on this page to using the az keyvault certificate get-default-policy (including with the --scaffold option) to create a certificate request, however the certificate policy sections are extremely light on details. Although it redirects to https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy, that page also does not contain information on how to request an EV certificate.
Digging deep into the API reveals this: https://docs.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate-policy/get-certificate-policy#issuerparameters, specifically that there is a cty parameter inside the issuerParameters block returned by the API which we can assume maps to the certificateType block in the response from az keyvault certificate get-default-policy --scaffold:
{
"issuerParameters": {
"certificateTransparency": null,
"certificateType": "(optional) DigiCert, GlobalSign or WoSign",
"name": "Unknown, Self, or {IssuerName}"
},
"keyProperties": {
"curve": null,
"exportable": true,
"keySize": 2048,
"keyType": "(optional) RSA or RSA-HSM (default RSA)",
"reuseKey": true
},
"lifetimeActions": [
{
"action": {
"actionType": "AutoRenew"
},
"trigger": {
"daysBeforeExpiry": 90,
"lifetimePercentage": null
}
}
],
"secretProperties": {
"contentType": "application/x-pkcs12 or application/x-pem-file"
},
"x509CertificateProperties": {
"ekus": [
"1.3.6.1.5.5.7.3.1"
],
"keyUsage": [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyEncipherment",
"keyAgreement",
"keyCertSign"
],
"subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com",
"subjectAlternativeNames": {
"dnsNames": [
"hr.contoso.com",
"m.contoso.com"
],
"emails": [
"hello@contoso.com"
],
"upns": []
},
"validityInMonths": 24
}
}That reply would also seem to indicate that, unlike what is expected by the API, the response from az keyvault certificate get-default-policy --scaffold for certificateType is actually also incorrect, and should be more like (optional) OV-SSL or EV-SSL.
I will also be submitting a request to the documentation team for https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy (which I will link to this request when completed) to update their documents to make it clearer on how to request an EV SSL certificate.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
There are multiple references on this page to using the
az keyvault certificate get-default-policy(including with the--scaffoldoption) to create a certificate request, however the certificate policy sections are extremely light on details. Although it redirects to https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy, that page also does not contain information on how to request an EV certificate.Digging deep into the API reveals this: https://docs.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate-policy/get-certificate-policy#issuerparameters, specifically that there is a
ctyparameter inside theissuerParametersblock returned by the API which we can assume maps to thecertificateTypeblock in the response fromaz keyvault certificate get-default-policy --scaffold:{ "issuerParameters": { "certificateTransparency": null, "certificateType": "(optional) DigiCert, GlobalSign or WoSign", "name": "Unknown, Self, or {IssuerName}" }, "keyProperties": { "curve": null, "exportable": true, "keySize": 2048, "keyType": "(optional) RSA or RSA-HSM (default RSA)", "reuseKey": true }, "lifetimeActions": [ { "action": { "actionType": "AutoRenew" }, "trigger": { "daysBeforeExpiry": 90, "lifetimePercentage": null } } ], "secretProperties": { "contentType": "application/x-pkcs12 or application/x-pem-file" }, "x509CertificateProperties": { "ekus": [ "1.3.6.1.5.5.7.3.1" ], "keyUsage": [ "cRLSign", "dataEncipherment", "digitalSignature", "keyEncipherment", "keyAgreement", "keyCertSign" ], "subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com", "subjectAlternativeNames": { "dnsNames": [ "hr.contoso.com", "m.contoso.com" ], "emails": [ "hello@contoso.com" ], "upns": [] }, "validityInMonths": 24 } }That reply would also seem to indicate that, unlike what is expected by the API, the response from
az keyvault certificate get-default-policy --scaffoldforcertificateTypeis actually also incorrect, and should be more like(optional) OV-SSL or EV-SSL.I will also be submitting a request to the documentation team for https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy (which I will link to this request when completed) to update their documents to make it clearer on how to request an EV SSL certificate.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.