Information on requesting an EV certificate is lacking

[djryanj]

There are multiple references on this page to using the az keyvault certificate get-default-policy (including with the --scaffold option) to create a certificate request, however the certificate policy sections are extremely light on details. Although it redirects to https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy, that page also does not contain information on how to request an EV certificate.

Digging deep into the API reveals this: https://docs.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate-policy/get-certificate-policy#issuerparameters, specifically that there is a cty parameter inside the issuerParameters block returned by the API which we can assume maps to the certificateType block in the response from az keyvault certificate get-default-policy --scaffold:

{
  "issuerParameters": {
    "certificateTransparency": null,
    "certificateType": "(optional) DigiCert, GlobalSign or WoSign",
    "name": "Unknown, Self, or {IssuerName}"
  },
  "keyProperties": {
    "curve": null,
    "exportable": true,
    "keySize": 2048,
    "keyType": "(optional) RSA or RSA-HSM (default RSA)",
    "reuseKey": true
  },
  "lifetimeActions": [
    {
      "action": {
        "actionType": "AutoRenew"
      },
      "trigger": {
        "daysBeforeExpiry": 90,
        "lifetimePercentage": null
      }
    }
  ],
  "secretProperties": {
    "contentType": "application/x-pkcs12 or application/x-pem-file"
  },
  "x509CertificateProperties": {
    "ekus": [
      "1.3.6.1.5.5.7.3.1"
    ],
    "keyUsage": [
      "cRLSign",
      "dataEncipherment",
      "digitalSignature",
      "keyEncipherment",
      "keyAgreement",
      "keyCertSign"
    ],
    "subject": "C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com",
    "subjectAlternativeNames": {
      "dnsNames": [
        "hr.contoso.com",
        "m.contoso.com"
      ],
      "emails": [
        "hello@contoso.com"
      ],
      "upns": []
    },
    "validityInMonths": 24
  }
}

That reply would also seem to indicate that, unlike what is expected by the API, the response from az keyvault certificate get-default-policy --scaffold for certificateType is actually also incorrect, and should be more like (optional) OV-SSL or EV-SSL.

I will also be submitting a request to the documentation team for https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy (which I will link to this request when completed) to update their documents to make it clearer on how to request an EV SSL certificate.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: a9c661d7-bf43-5354-015e-3859f30a42a2
• Version Independent ID: fa69e552-5904-ce97-d02c-915c819bdde1
• Content: az keyvault certificate
• Content Source: latest/docs-ref-autogen/keyvault/certificate.yml
• Service: key-vault
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[yonzhan]

keyvault