{"id":12158,"date":"2026-04-12T19:57:00","date_gmt":"2026-04-13T00:57:00","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=12158"},"modified":"2026-04-30T12:59:37","modified_gmt":"2026-04-30T17:59:37","slug":"venafi-trust-protect-and-azure-key-vault-integration","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=12158","title":{"rendered":"Venafi Trust Protect and Azure Key Vault Integration"},"content":{"rendered":"<h3>Entra App Registration<\/h3>\n<p>Add a new Entra App registration for Venafi<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1919\" height=\"711\" class=\"wp-image-12159\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1.png 1919w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1-300x111.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1-1024x379.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1-768x285.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1-1536x569.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-1-750x278.png 750w\" sizes=\"auto, (max-width: 1919px) 100vw, 1919px\" \/><\/p>\n<p>There is no redirect URI needed for this registration<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1148\" height=\"911\" class=\"wp-image-12160\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-2.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-2.png 1148w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-2-300x238.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-2-1024x813.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-2-768x609.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-2-750x595.png 750w\" sizes=\"auto, (max-width: 1148px) 100vw, 1148px\" \/><\/p>\n<p>In this example, my App ID is 05151153-f5d5-4ce8-94cb-9086d70d3c05<\/p>\n<p>On app, go to certificates &amp; secrets. Upload PUBLIC key of a Digital Signature certificate.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1695\" height=\"916\" class=\"wp-image-12161\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3.png 1695w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3-300x162.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3-1024x553.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3-768x415.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3-1536x830.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-3-750x405.png 750w\" sizes=\"auto, (max-width: 1695px) 100vw, 1695px\" \/><\/p>\n<p>Confirm the public key has been added<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1379\" height=\"821\" class=\"wp-image-12162\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-4.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-4.png 1379w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-4-300x179.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-4-1024x610.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-4-768x457.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-4-750x447.png 750w\" sizes=\"auto, (max-width: 1379px) 100vw, 1379px\" \/><\/p>\n<h3>Key Vault Configuration<\/h3>\n<p>In the Azure Portal, navigate to the Key Vaults<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1559\" height=\"259\" class=\"wp-image-12163\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5.png 1559w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5-300x50.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5-1024x170.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5-768x128.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5-1536x255.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-5-750x125.png 750w\" sizes=\"auto, (max-width: 1559px) 100vw, 1559px\" \/><\/p>\n<p>Confirm you have an appropriate key vault, or create one. In this example, I am creating a new key vault.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1299\" height=\"187\" class=\"wp-image-12164\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-6.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-6.png 1299w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-6-300x43.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-6-1024x147.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-6-768x111.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-6-750x108.png 750w\" sizes=\"auto, (max-width: 1299px) 100vw, 1299px\" \/><\/p>\n<p>Select the subscription and resource group to be used, provide a name for the vault.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1026\" height=\"875\" class=\"wp-image-12165\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-7.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-7.png 1026w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-7-300x256.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-7-1024x873.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-7-768x655.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-7-750x640.png 750w\" sizes=\"auto, (max-width: 1026px) 100vw, 1026px\" \/><\/p>\n<p>In this example, my key vault is LJRVenafiTestKeyVault<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"689\" height=\"793\" class=\"wp-image-12166\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-8.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-8.png 689w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-8-261x300.png 261w\" sizes=\"auto, (max-width: 689px) 100vw, 689px\" \/><\/p>\n<p>This vault uses RBAC access. Click on \u201cAccess control (IAM)\u201d to add rights for the Entra app to use this key vault<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1699\" height=\"826\" class=\"wp-image-12167\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9.png 1699w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9-300x146.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9-1024x498.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9-768x373.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9-1536x747.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-9-750x365.png 750w\" sizes=\"auto, (max-width: 1699px) 100vw, 1699px\" \/><\/p>\n<p>Select \u201cAdd role assignment\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1160\" height=\"266\" class=\"wp-image-12168\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-10.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-10.png 1160w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-10-300x69.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-10-1024x235.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-10-768x176.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-10-750x172.png 750w\" sizes=\"auto, (max-width: 1160px) 100vw, 1160px\" \/><\/p>\n<p>Select the \u201cKey Vault Certificates Officer\u201d role<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1913\" height=\"653\" class=\"wp-image-12169\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11.png 1913w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11-300x102.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11-1024x350.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11-768x262.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11-1536x524.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-11-750x256.png 750w\" sizes=\"auto, (max-width: 1913px) 100vw, 1913px\" \/><\/p>\n<p>Add the application name to this role:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1711\" height=\"908\" class=\"wp-image-12170\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12.png 1711w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12-300x159.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12-1024x543.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12-768x408.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12-1536x815.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-12-750x398.png 750w\" sizes=\"auto, (max-width: 1711px) 100vw, 1711px\" \/><\/p>\n<h3>Venafi Configuration<\/h3>\n<p>Now, in Venafi, we can add an Azure Key Vault installation to a certificate.<\/p>\n<p>First, we need to create a new certificate type credential to hold the private key for the certificate used in the app registration<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"603\" height=\"394\" class=\"wp-image-12171\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-13.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-13.png 603w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-13-300x196.png 300w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/p>\n<p>Upload the certificate pfx file and supply the pfx password<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"596\" height=\"204\" class=\"wp-image-12172\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-14.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-14.png 596w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-14-300x103.png 300w\" sizes=\"auto, (max-width: 596px) 100vw, 596px\" \/><\/p>\n<p>Navigate to the certificate you want published into the Azure Key Vault. From the \u201cActions\u201d menu, select \u201cAdd Installation\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1919\" height=\"527\" class=\"wp-image-12173\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15.png 1919w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15-300x82.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15-1024x281.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15-768x211.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15-1536x422.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-15-750x206.png 750w\" sizes=\"auto, (max-width: 1919px) 100vw, 1919px\" \/><\/p>\n<p>Select \u201cTrack, validate, and automate installation of this certificate\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"923\" height=\"409\" class=\"wp-image-12174\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-16.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-16.png 923w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-16-300x133.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-16-768x340.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-16-750x332.png 750w\" sizes=\"auto, (max-width: 923px) 100vw, 923px\" \/><\/p>\n<p>Select a device and chose the \u201cAzure Key Vault\u201d installation type:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"452\" class=\"wp-image-12175\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-17.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-17.png 614w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-17-300x221.png 300w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><\/p>\n<p>The first half of the form does not need to be changed, although you can add a description explaining what the deployment is.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"933\" height=\"726\" class=\"wp-image-12176\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-18.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-18.png 933w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-18-300x233.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-18-768x598.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-18-750x584.png 750w\" sizes=\"auto, (max-width: 933px) 100vw, 933px\" \/><\/p>\n<p>Select the device credential for the host. The \u201cApplication ID\u201d is the Azure App ID from the registered application. The Certificate Credential is the Digital Signature private key uploaded for application authentication.<\/p>\n<p>The Azure Key Vault Name is the name of the key vault created in Azure, and Certificate Name is the \u201cfriendly\u201d name to be used in the certificate file deployed to the server. This often needs to be included in the application configuration (use this keystore file <em>and<\/em> use this certificate from the keystore). Because I am using this key in a release pipeline, I do not want to bind the certificate to a web service<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"913\" height=\"719\" class=\"wp-image-12177\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-19.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-19.png 913w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-19-300x236.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-19-768x605.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-19-750x591.png 750w\" sizes=\"auto, (max-width: 913px) 100vw, 913px\" \/><\/p>\n<p>The cert will be queued for installation into the Azure Key Vault<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1588\" height=\"123\" class=\"wp-image-12178\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20.png 1588w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20-300x23.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20-1024x79.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20-768x59.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20-1536x119.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-20-750x58.png 750w\" sizes=\"auto, (max-width: 1588px) 100vw, 1588px\" \/><\/p>\n<p>Once the installation has completed, return to the Azure Portal to confirm that the certificate is now present in the key vault.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1916\" height=\"895\" class=\"wp-image-12179\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21.png 1916w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21-300x140.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21-1024x478.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21-768x359.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21-1536x717.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-21-750x350.png 750w\" sizes=\"auto, (max-width: 1916px) 100vw, 1916px\" \/><\/p>\n<h2>Using the Key in a Pipeline<\/h2>\n<p>This document assumes:<\/p>\n<p>Azure CLI is installed (<a href=\"https:\/\/learn.microsoft.com\/en-us\/cli\/azure\/install-azure-cli-linux\">https:\/\/learn.microsoft.com\/en-us\/cli\/azure\/install-azure-cli-linux<\/a>)<\/p>\n<p>You already have an agent pool with online agent in a deployment pool<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1919\" height=\"911\" class=\"wp-image-12180\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22.png 1919w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-300x142.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-1024x486.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-768x365.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-1536x729.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-750x356.png 750w\" sizes=\"auto, (max-width: 1919px) 100vw, 1919px\" \/><\/p>\n<p>And, finally, that you have a pipeline deployment that uses a static keystore. We will be replacing that static keystore file with one obtained from the Azure Key Vault.<\/p>\n<p>First, ensure the <strong>Azure DevOps service connection<\/strong> used by the pipeline has access to LJRVenafiTestKeyVault with at least:<\/p>\n<ul>\n<li><strong>Secrets<\/strong>: Get, List<\/li>\n<\/ul>\n<p>From the Azure command line, e.g.<\/p>\n<p>az role assignment create &#8211;assignee-object-id 107d2d9a-4d1b-4d8b-9cd6-0f95587eb9ae &#8211;assignee-principal-type ServicePrincipal &#8211;role &#8220;Key Vault Secrets User&#8221; &#8211;scope &#8220;\/subscriptions\/dede429d-a340-4e90-8f76-05aa5280a1f5\/resourceGroups\/ljr-keyvault-demo\/providers\/Microsoft.KeyVault\/vaults\/LJRVenafiTestKeyVault&#8221;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1619\" height=\"451\" class=\"wp-image-12181\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23.png 1619w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-300x84.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-1024x285.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-768x214.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-1536x428.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-750x209.png 750w\" sizes=\"auto, (max-width: 1619px) 100vw, 1619px\" \/><\/p>\n<p>If you do not know which service connection is being used, update and run the pipeline. It will fail with a permission error, but the service connection\u2019s usage history will reflect the release pipeline\u2019s use:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1918\" height=\"857\" class=\"wp-image-12182\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24.png 1918w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-300x134.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-1024x458.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-768x343.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-1536x686.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-750x335.png 750w\" sizes=\"auto, (max-width: 1918px) 100vw, 1918px\" \/><\/p>\n<p>Update your pipeline to retrieve the certificate from the Azure KeyVault. Add an Azure CLI task using an inline script<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1917\" height=\"901\" class=\"wp-image-12183\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25.png 1917w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-300x141.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-1024x481.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-768x361.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-1536x722.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-750x353.png 750w\" sizes=\"auto, (max-width: 1917px) 100vw, 1917px\" \/><\/p>\n<p>set -euo pipefail<\/p>\n<p>PFX_FILE=&#8221;$AGENT_TEMPDIRECTORY\/VenafiDeployedCertificate.pfx&#8221;<\/p>\n<p>az keyvault secret download \\<\/p>\n<p>&#8211;vault-name LJRVenafiTestKeyVault \\<\/p>\n<p>&#8211;name VenafiDeployedCertificate \\<\/p>\n<p>&#8211;file &#8220;$PFX_FILE&#8221; \\<\/p>\n<p>&#8211;encoding base64<\/p>\n<p>echo &#8220;Downloaded PFX to $PFX_FILE&#8221;<\/p>\n<p>echo &#8220;##vso[task.setvariable variable=PFX_PATH]$PFX_FILE&#8221;<\/p>\n<p>If you need a JKS file, add an additional bash task with an inline script<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1919\" height=\"892\" class=\"wp-image-12184\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26.png 1919w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-300x139.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-1024x476.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-768x357.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-1536x714.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-750x349.png 750w\" sizes=\"auto, (max-width: 1919px) 100vw, 1919px\" \/><\/p>\n<p>set -euo pipefail<\/p>\n<p>JKS_FILE=&#8221;$AGENT_TEMPDIRECTORY\/VenafiDeployedCertificate.jks&#8221;<\/p>\n<p># Verify keytool exists<\/p>\n<p>command -v keytool &gt;\/dev\/null 2&gt;&amp;1 || { echo &#8220;keytool not found on agent&#8221;; exit 1; }<\/p>\n<p>keytool -importkeystore \\<\/p>\n<p>-srckeystore &#8220;$(PFX_PATH)&#8221; \\<\/p>\n<p>-srcstoretype PKCS12 \\<\/p>\n<p>-srcstorepass &#8220;&#8221; \\<\/p>\n<p>-destkeystore &#8220;$JKS_FILE&#8221; \\<\/p>\n<p>-deststoretype JKS \\<\/p>\n<p>-deststorepass &#8220;$(JksPassword)&#8221; \\<\/p>\n<p>-destkeypass &#8220;$(JksPassword)&#8221; \\<\/p>\n<p>-noprompt<\/p>\n<p>echo &#8220;Created JKS at $JKS_FILE&#8221;<\/p>\n<p>echo &#8220;##vso[task.setvariable variable=JKS_PATH]$JKS_FILE&#8221;<\/p>\n<p>Add a pipeline variable for the JKS Password \u2013 make sure to click the lock icon to protect the password<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1916\" height=\"407\" class=\"wp-image-12185\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27.png 1916w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-300x64.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-1024x218.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-768x163.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-1536x326.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-750x159.png 750w\" sizes=\"auto, (max-width: 1916px) 100vw, 1916px\" \/><\/p>\n<p>And, finally, add a bash task task to copy the JKS or PFX file to the proper place on the server<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1915\" height=\"660\" class=\"wp-image-12186\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28.png 1915w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-300x103.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-1024x353.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-768x265.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-1536x529.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-750x258.png 750w\" sizes=\"auto, (max-width: 1915px) 100vw, 1915px\" \/><\/p>\n<p>set -euo pipefail<\/p>\n<p># Copy JKS to location on server used in app config<\/p>\n<p>TARGET_DIR=&#8221;\/opt\/credential-injection\/certs&#8221;<\/p>\n<p>TARGET_JKS=&#8221;$TARGET_DIR\/VenafiDeployedCertificate.jks&#8221;<\/p>\n<p>cp &#8220;$(JKS_PATH)&#8221; &#8220;$TARGET_JKS&#8221;<\/p>\n<p>chmod 600 &#8220;$TARGET_JKS&#8221;<\/p>\n<p>echo &#8220;JKS copied to $TARGET_JKS&#8221;<\/p>\n<p># Or copy pfx to location on server used in app config<\/p>\n<p>TARGET_PFX=&#8221;$TARGET_DIR\/VenafiDeployedCertificate.pfx&#8221;<\/p>\n<p>cp &#8220;$(PFX_PATH)&#8221; &#8220;$TARGET_PFX&#8221;<\/p>\n<p>chmod 600 &#8220;$TARGET_PFX&#8221;<\/p>\n<p>Create a release to run the pipeline. Looking at the logs, you should see a confirmation that the pfx file was created<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1568\" height=\"905\" class=\"wp-image-12187\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29.png 1568w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-300x173.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-1024x591.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-768x443.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-1536x887.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-750x433.png 750w\" sizes=\"auto, (max-width: 1568px) 100vw, 1568px\" \/><\/p>\n<p>And, if you are creating a JKS file, a confirmation that it was created as well<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1554\" height=\"525\" class=\"wp-image-12188\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30.png 1554w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-300x101.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-1024x346.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-768x259.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-1536x519.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-750x253.png 750w\" sizes=\"auto, (max-width: 1554px) 100vw, 1554px\" \/><\/p>\n<p>You should also see the certificate file(s) on the server:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1146\" height=\"123\" class=\"wp-image-12189\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31.png 1146w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-300x32.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-1024x110.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-768x82.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-750x80.png 750w\" sizes=\"auto, (max-width: 1146px) 100vw, 1146px\" \/><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Entra App Registration Add a new Entra App registration for Venafi There is no redirect URI needed for this registration In this example, my App ID is 05151153-f5d5-4ce8-94cb-9086d70d3c05 On app, go to certificates &amp; secrets. Upload PUBLIC key of a Digital Signature certificate. Confirm the public key has been added Key Vault Configuration In the &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1510,30],"tags":[2194,2193,2184,2192],"class_list":["post-12158","post","type-post","status-publish","format-standard","hentry","category-ado","category-system-administration","tag-certificate-automation","tag-certificate-management","tag-venafi","tag-venafi-tpp"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12158"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12158\/revisions"}],"predecessor-version":[{"id":12190,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12158\/revisions\/12190"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}