Azure Key Vault is a trusted home for secrets, keys, and certificates. For organizations running on Microsoft Azure, it has become the default place to store TLS certificates and the private keys that back them, and it does that job well. The trouble starts when teams assume that storing certificates in Key Vault is the same as managing them across the enterprise. It is not, and that gap is about to become a serious operational problem.
The reason is timing. Certificate lifespans are collapsing. Following the CA/Browser Forum’s approval of Ballot SC-081v3, maximum public TLS validity dropped to 200 days in March 2026, falls to 100 days in March 2027, and reaches just 47 days by March 2029. At 47 days, a certificate must be renewed roughly eight times a year. Across an estate of a thousand certificates, that translates to around twenty certificate operations every single working day.
Manual processes and partial automation simply cannot keep that pace. This blog examines what Azure Key Vault does well for certificates, where its built-in capabilities run out, and how to build automation that holds up under the 47-day reality.
What Azure Key Vault Does Well
Key Vault earns its reputation as a secure store. It provides hardened, access-controlled storage for certificates and private keys, integrates cleanly with other Azure services, and offers some genuine convenience features for certificates that live entirely within the Azure ecosystem.
For certificates issued through one of Key Vault’s integrated CA partners, you can configure automatic renewal, and Key Vault will handle the reissuance on a schedule you define. It can send notifications when a certificate reaches a set percentage of its lifetime, giving teams a heads-up before expiry. For an organization whose certificate footprint sits neatly inside Azure and uses an integrated CA, these features cover a meaningful portion of day-to-day needs.
The key phrase, though, is “entirely within the Azure ecosystem.” That is where the boundaries begin to show.
Where Key Vault’s Built-In Management Runs Out
While Azure Key Vault simplifies certificate management within Azure, enterprise-scale operations quickly run into limitations around CA flexibility, deployment automation, visibility, and governance. The following areas highlight where built-in management begins to fall short:
Limited Certificate Authority Flexibility
Key Vault’s convenient auto-renewal works smoothly only with its integrated CA partners. The moment you need a certificate from a CA that is not integrated, whether an internal private PKI, a commercial CA outside the partner list, or a CA inherited through an acquisition, the seamless experience disappears. You are left retrieving the new certificate yourself and importing it into Key Vault through scripts or manual steps. For organizations that deliberately run multiple CAs for resilience, cost, or compliance reasons, this is a structural limitation, not a minor inconvenience.
No Last-Mile Deployment Beyond Azure
This is the most consequential gap. Storing a renewed certificate in Key Vault is not the same as deploying it to the systems that actually use it. Certificates do not just live in the vault. They live on load balancers, application gateways, NGINX and Apache servers, Kubernetes ingress controllers, service meshes, firewalls, and countless other endpoints, many of which sit outside Azure’s automation boundary entirely.
Key Vault can hold the certificate, but it will not push it to an F5 load balancer, bind it to a non-Azure web server, or update an ingress controller in a cluster running elsewhere and then verify that the deployment succeeded. That last mile, getting the certificate installed on the right endpoint and confirming the service picked it up, is exactly where certificate-related outages happen. Leaving it to custom scripts and manual effort is precisely the fragility the 47-day cadence will expose.
Fragmented Visibility Across a Real Environment
Most enterprises are not all-Azure. They run workloads across multiple clouds, on-premises infrastructure, and hybrid setups. Key Vault gives you visibility into the certificates stored in Key Vault, but it has no view of the certificates sitting in AWS, in Google Cloud, on physical servers in a data center, or in a Kubernetes cluster outside Azure. The result is a fragmented picture, and fragmented visibility is how shadow certificates and surprise expirations creep in. You cannot manage, renew, or protect a certificate you cannot see.
Governance That Does Not Span the Estate
Enterprise certificate management requires consistent policies, such as approved CAs, minimum key sizes, permitted algorithms, validity rules, and role-based access enforced uniformly everywhere as per industry best practice. Key Vault can govern what is inside it, but it cannot enforce a single, consistent policy across every cloud, every CA, and every on-premises endpoint your organization uses. Without that uniformity, governance becomes inconsistent, and inconsistency is what audit findings are made of.
The Right Model: Orchestration Above Key Vault, Not Instead of It
The solution is not to abandon Azure Key Vault. Key Vault is a strong store, and there is no reason to replace it. The solution is to put a certificate lifecycle management platform above it, acting as the orchestration layer that turns Key Vault into one well-managed component of a larger, automated, CA-agnostic certificate ecosystem.
In that model, the CLM platform handles the work Key Vault was never designed to do. Three capabilities define what good looks like.
Smart discovery across everything. Effective automation begins with complete visibility. The platform should continuously discover certificates everywhere they live, in Azure Key Vault, in other clouds, on-premises, and in container environments, consolidating them into a single inventory enriched with issuer, expiry, key size, algorithm, and location. Organizations routinely discover far more certificates than they expected once they scan properly, and surfacing the unknown ones is the first step to controlling them.
CA-agnostic, protocol-flexible, closed-loop automation. The platform should run the full renewal loop without human intervention regardless of which CA issues the certificate: detect the approaching expiry, check policy, generate the signing request, call the CA, retrieve the certificate, store it in Key Vault, and then push it to the correct endpoint and verify the binding. Support for protocols like ACME, SCEP, and EST, alongside direct CA integrations, is what makes this work across a heterogeneous estate. This closes the last-mile gap that Key Vault alone leaves open.
Policy enforcement and governance everywhere. The platform should enforce one set of cryptographic policies, approved CAs, key strengths, algorithms, and validity rules, consistently across every environment, with role-based access control and audit-ready reporting. This gives you uniform governance and the compliance evidence that Key Vault’s vault-scoped controls cannot produce on their own.
With this architecture, Key Vault keeps doing what it is good at, secure storage and tight Azure integration, while the CLM platform delivers the visibility, cross-environment automation, and governance that enterprise-scale certificate management under a 47-day mandate demands.
How Encryption Consulting Can Help
Building that orchestration layer is exactly what Encryption Consulting enables, with both the platform and the expertise to make Azure Key Vault part of a resilient, automated certificate practice.
CertSecure Manager is our certificate lifecycle management solution, and it is built to sit above stores like Azure Key Vault as the orchestration layer described here. It delivers smart discovery across Azure, other clouds, on-premises, and container environments, consolidating every certificate into a single inventory so nothing hides.
Its CA-agnostic, closed-loop automation handles issuance, renewal, and revocation regardless of which CA issued a certificate, and it carries the certificate all the way to the endpoint, whether that is an Azure resource, an F5 or NGINX load balancer, a Kubernetes ingress, or an on-premises server, then validates the deployment.
Its centralized policy engine enforces approved CAs, key sizes, algorithms, and validity rules uniformly across your whole estate, with the role-based access control and audit trails that compliance requires. Under the 47-day mandate, that end-to-end automation is what turns an unmanageable volume of renewals into a routine, hands-off process, with Key Vault continuing to serve as your secure store.
To extend protection further, CBOM Secure broadens discovery beyond certificates into your full cryptographic landscape of algorithms, keys, and protocols, producing the cryptographic bill of materials that supports compliance and prepares you for the post-quantum transition that follows the move to shorter lifespans.
For organizations that need certificates from a CA outside Key Vault’s integrated partners, PKI-as-a-Service provides a modern, scalable private CA without on-premises overhead or vendor lock-in, and HSM-as-a-Service protects the private keys behind your certificates with high-assurance hardware isolation.
On the advisory side, our PKI Services team helps design and modernize the enterprise and Microsoft PKI that underpins certificate issuance, our Cloud Data Protection Services help you secure data and keys across Azure and other clouds, and our Compliance Advisory Services ensure your certificate practices satisfy PCI-DSS, HIPAA, NIST, and other frameworks.
Whether you are wrestling with renewals that Key Vault cannot reach, preparing for the 47-day mandate, or building a unified multi-cloud certificate strategy, Encryption Consulting can help. Get in touch to assess your Azure certificate operations and build automation that scales.
Conclusion
Azure Key Vault is a strong place to store certificates, but storage is not management. Its built-in capabilities work well for certificates that live entirely within Azure and use an integrated CA, and they fall short the moment your environment includes other CAs, other clouds, on-premises systems, or endpoints that need certificates pushed and verified, which describes virtually every real enterprise.
The shrinking certificate lifespan turns that gap from a tolerable annoyance into an operational risk. When certificates renew eight times a year across thousands of endpoints, every manual step and every unreachable endpoint becomes a potential outage. The answer is not to replace Key Vault but to elevate it, placing a CA-agnostic CLM platform above it to deliver the discovery, end-to-end automation, and uniform governance that the 47-day era requires.
Key Vault should keep doing what it does best. Let an orchestration layer handle the rest, and the next few years of accelerating cryptographic change become a matter of routine automation rather than constant firefighting.
