services / Azure / Key Vault certificate
An Azure Key Vault certificate is a managed X.509 certificate object that bundles a private key, the certificate (public) material, and an issuance/lifecycle policy. It is a credential used by applications and services for TLS, signing, and authentication.
Certificates contain private key material; compromise enables impersonation/MITM of dependent services. Vaults are CRITICAL-sensitivity assets per the scope guide.
Microsoft.KeyVault/Vaults/certificates/create/action
Creates a new certificate, or a new version of an existing certificate, letting an attacker have the vault generate a certificate under a trusted identity that a dependent application or TLS endpoint will subsequently present and trust for impersonation.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security