services / Azure / Key Vault certificate issuer

A certificate issuer (certificatecas) is a data-plane object in a Key Vault that stores the configuration and CA account credentials used to enroll and renew certificates through an external certificate authority (e.g. DigiCert, GlobalSign).

The issuer holds CA account credentials (account ID and API key/password) and controls how trusted certificates are minted for dependent services; it lives in the CRITICAL-sensitivity Key Vault data plane.


Microsoft.​KeyVault/​Vaults/​certificatecas/​read

The Key Vault GetCertificateIssuer data action returns the issuer's credentials object (account ID and password/API key) used to authenticate to the external CA, exposing usable secret material that could be abused to mint certificates.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​KeyVault
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog