Azure Key Vault Managed HSM - Security Domain Certificate Renewal

Question

As documented by Azure, when activating an Azure Key Vault Managed HSM resource you must create a security domain by sending at least three RSA public keys to the HSM. My question is do the certificates/keys need to be updated prior to their set expiration date for the HSM to continue functioning? If so is there any documentation around this process? I wasn't finding any documentation or any Powershell commands that would address updating domain security certificates.

https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-powershell#activate-your-managed-hsm

Answer 1

Hi @Jonathan Maas

Thank you for posting this in Microsoft Q&A.

To operate, a managed HSM must have a security domain. The security domain is an encrypted blob file that contains artifacts like the HSM backup, user credentials, the signing key, and the data encryption key, which is unique to the managed HSM.

Regarding your question, the expiration date of the RSA public keys used to create the security domain does not affect the functionality of the HSM. However, it is a recommended security practice to set expiration dates on cryptographic keys. If a key is too close to expiration, an organizational delay in rotating the key may result in an outage. Keys should be rotated a specified number of days prior to expiration to provide sufficient time to react to a failure.

Even if the certificate has "expired," it can still be used to restore the security domain. You can generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM.

Use the command below to create a new certificate:

-newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.