Secure AXON (http/grpc) with certificates from Azure Keyvault


we deployed an AXON server in Azure and want to protect the server (http & grpc). In our “standard” deployment (Terraform) we create certificates via ACME/Buypass and save the certificates into an Azure KeyVault.

I am looking for an approach to integrate/use these Azure KeyVault certificates to use/inject them into the AXON server. Is that possible at all? A step by step documentation how to achieve that would be wonderful. :wink:

Thanks in advance

Hi @Joe, and welcome to the forum!

Honestly, I am not familiar with Azure KeyVault at all.
What I can point you to is our Reference Guide.
More specifically, the Access Control section of Axon Server.

Axon Server currently allows the construction of users through its CLI.
You can, however, also use the [LDAP](Access Control - LDAP - Axon Reference Guide and OAuth 2.0 extensions.

As stated, I don’t know the specifics of Azure KeyVault.
However, I’d assume they’d provide integration with LDAP and/or OAuth 2.0 one way or another.

It’s important to note though that Axon Server’s extensions are an Enterprise feature only.
Hence, if you’re using Axon Server Standard Edition, you’d not be able to use these extensions directly.

A step by step documentation how to achieve that would be wonderful.

As you might’ve guessed, there isn’t anything like that.
Nonetheless, I hope the Access Control pointers I gave you point you in the right direction, @Joe.

By the way, if the problem is a general usage request for enabling Azure Key Vault, maybe this tutorial from Microsoft themselves could help.

Hi @Steven_van_Beelen

Thanks for your reply. In the meantime we solved it. :wink: The major topic in integrating the certificates was certificates formats which caused a lot of trouble and not AXON or KeyVault. At the end if you know how to it, it was straight forward as always.

Now all is build in Terraform

  1. We create certificates via buypass and save them in AzureKeyVault
  2. We create tls passoword in KeyVault
  3. Extract the cert from keyVault - Cert & Private Key - Private Key is in pkcs1 format
  4. Convert the PKCS1 to PKCS8
  5. Create the P12 with the passoword created in step2
  6. Inject .cer, .key, .p12 into AXON via storage and modify

Best regards

1 Like