Azure 密钥保管库证书证书标识符、秘密标识符、密钥标识符之间的区别
[英]Azure Key Vault Certificate Difference Between Certificate Identifier, Secret Identifier, Key Identifier
问题描述
I have worked with secrets stored in Azure Key Vault but this is the first time using certificate for authentication rather than a secret.
我使用过存储在 Azure Key Vault 中的秘密,但这是第一次使用证书而不是秘密进行身份验证。
I have a certificate stored in Azure Key Vault.我有一个证书存储在 Azure Key Vault 中。 I want to use this certificate to authenticate with Azure AD application.我想使用此证书对 Azure AD 应用程序进行身份验证。
I understand, for secrets stored in Azure Key Vault, we can refer them in a Azure Function via applications settings by using @Microsoft.KeyVault(SecretUri='secretIdentifier').我了解,对于存储在 Azure Key Vault 中的机密,我们可以通过应用程序设置使用 @Microsoft.KeyVault(SecretUri='secretIdentifier') 在 Azure Function 中引用它们。
I noticed that there are three types of identifiers for a certificate: key, secret, and certificate identifier.我注意到证书有三种类型的标识符:密钥、秘密和证书标识符。 What is the difference between these and what purpose does each of these serve?它们之间有什么区别以及它们各自的用途是什么?
Also, can we access certificate through secret identifier using @Microsoft.KeyVault(SecretUri='Certificate's Secret Identifier') and use if for authenticating?另外,我们可以使用 @Microsoft.KeyVault(SecretUri='Certificate's Secret Identifier') 通过秘密标识符访问证书并使用 if 进行身份验证吗? If we can, are there any caveats to this approach?如果可以的话,这种方法有什么注意事项吗?
Lastly, why is using a certificate for authentication is considered a better approach rather than using a secret?最后,为什么使用证书进行身份验证被认为是比使用秘密更好的方法?
So far, I haven't been able to find an explanation that is easily understandable for a person who has not used certificates before.到目前为止,我还没有找到对于以前没有使用过证书的人来说容易理解的解释。 Any suggestion/explanation will be highly appreciated.任何建议/解释将不胜感激。
2 个解决方案
解决方案1
0 2020-11-11 23:20:57
For the difference between Keys, Secrets, and Certificates, please refer to Azure Key Vault documentation, under Object Types:有关密钥、机密和证书之间的区别,请参阅对象类型下的 Azure Key Vault 文档:
https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types
Think of Secrets as passwords and connection strings.将 Secrets 视为密码和连接字符串。 Keys are cryptographic keys that can be generated using various algorithms.密钥是可以使用各种算法生成的加密密钥。 And Certificates are keys (or key pairs) with optional policies such as auto rotation.证书是具有可选策略(例如自动轮换)的密钥(或密钥对)。
There is an advantage in authenticating using a certificate instead of a secret.使用证书而不是秘密进行身份验证具有优势。 The advantage is a certificate has a private and a public key part.优点是证书具有私钥和公钥部分。 The recipient of your API call can authenticate who you are using only the public portion of your certificate, while you safely safeguard the private part in your key vault. API 调用的接收者可以仅验证您使用证书的公共部分的身份,同时您可以安全地保护密钥保管库中的私有部分。 Secrets are shared between calling and called parties and are transmitted over the wire, and therefore there are more opportunities for them to leak.秘密在主叫方和被叫方之间共享并通过线路传输,因此泄露的机会更多。
解决方案2
0 2022-05-20 19:50:35
https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates mentions that https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates提到
When a Key Vault certificate is created, an addressable key and secret are also created with the same name.
and和
When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format.
Thus, "Certificate's Secret Identifier" provides the way for tools to get hold of "the actual bytes" of the certificate together with its private key.因此,“证书的秘密标识符”为工具提供了获取证书“实际字节”及其私钥的方法。 As an example, it is the secret identifier for the certificate that can be provided to the HTTPS listener of an Application Gateway in order for that certificate to be used as the HTTPS certificate.例如,证书的秘密标识符可以提供给应用程序网关的 HTTPS 侦听器,以便将该证书用作 HTTPS 证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.