1.

Objective – Implement secure data solutions

1. Select Home > Resource groups, then choose your resource group, such as oreilly-az300
2. At the top of the resource group window select + Add, search for and select “key vault”,
then choose Create. Enter the following configuration information. If not noted below, use
the defaults:

Resource group: oreilly-az300

Key Vault name: keyvault-westus-<yourinitials-or-random-value>

Region: West US

Pricing tier: Standard

Encryption and decryption operations performed in software at this tier. The

Premium tier performs all actions on the HSM itself.

3. You can configure access policies and network access at deployment time, but for now,
select Review + create. When ready, select Create
4. If needed, select the notification bell in the top right-hand corner to view deployment
progress as the key vault is created. It takes a minute or two to create the key vault.
5. When ready, select Go to resource

2. Objective – Create, read, update, and delete keys, secrets, and certificates
by using the Key Vault
1. From your Key Vault, select Keys on the left-hand side, then choose to + Generate/Import.
Enter the following configuration information. If not noted below, use the defaults:

Options: Generate
Name: trainingkey
Key Type: RSA
RSA Key Size: 4096
Enabled: Yes

Note how you can set activation and expiration dates, and choose to set the key as
disabled.

2. When ready, select Create

3. Select Secrets on the left-hand side, then choose to + Generate/Import. Enter the following
configuration information. If not noted below, use the defaults:

Upload options: Manual

Name: trainingsecret
Value: super secret training value – the secret value is hidden by *** when you enter it
Enabled: Yes
 Again, note how you can set activation and expiration dates, and choose to set the
secret as disabled.

4. When ready, select Create

5. Select Certificates on the left-hand side, then choose to + Generate/Import. Enter the
following configuration information. If not noted below, use the defaults:

Method of certificate creation: Generate

Certificate name: trainingcert
Type of Certificate Authority (CA): Self-signed certificate
Note that you can choose to use an integrated or non-integrated CA to generate
real certificates, not just self-signed certs.
Subject: CN=oreilly-az300.com

Note the options for setting length of certificate in months, and the ability to
automatically renew at a given percentage lifetime.

6. When ready, select Create. As this is a self-signed certificate, the key vault generates the
certificate signing request, passes that to it’s internal certificate authority, then receives and
adds the certificate to the key vault. This process takes a few moments, so the certificate
initially shows as In progress, failed or cancelled.

Refresh the list after a few seconds and it should eventually show that the certificate is
completed and enabled.

These keys, secrets, and certificates could now be used with your applications. In practice,
applications or other Azure services often connect to Key Vault to generate and then
retrieve their own keys or certificates.