Contact Us

How to Automatically Rotate AAD Application Certificates

Automatically rotate AAD Application certificates
31 Oct 2022

How to Automatically Rotate AAD Application Certificates

Cloud adoption and the increase of microservice architecture has exponentially increased the number of service credentials that have to be maintained by organizations. This increase of identities coupled with the removal of passwords for a more secure time bound cryptographic certificate, has made it impossible for humans to keep track and rotate each of these credentials.
As a result, engineers usually resort to one of the two following “solutions”:

1) Use the same certificate for everything, which dramatically increases your surface area .
2) Have long lived certificates which also creates exposure and a scenario where if the engineer leaves, or forgets you to rotate the certificates, you’ll have a costly outage.

As a matter of fact, 81% of organizations have experienced certificate related outages in the past 2 years.

The solution? Remove the human element from the equation, ACME (Automated Certificate Management Environment) certificate issuance fixed this for SSL certificates, now let’s look at our options for service certificates.


Azure Managed Service Identities

If your services are hosted in Azure, then you have probably heard of Azure Managed Identities, an Azure managed identity that will be automatically rotated by Azure and your service will use it. While this is a great solution, and a big part of our passwordless strategy at Keytos, they have a couple of limitations:

1) They only work in Azure.
2) They do not support multitenant access for your service to authenticate to other tenants.

Azure Application Authentication

When external machines are trying to authenticate to Azure, or you must authenticate to another tenant, you must rely on the “old way” of system authentication by using a regular Azure Service Principal and using certificate-based authentication (Please do not use password based, it is 2022).

These steps used to be a tedius, manual chore for engineers, but not anymore! Since its creation, EZCA has supported automatic certificate rotation in Azure Key Vault now we have enhanced our automatic certificate rotation capabilities to automatically rotate Azure AD Application certificates when a new EZCA certificate is created.

If you are still not using EZCA, contact our team of PKI experts and join the passwordless future today!

Join our Newsletter