docs/documentation/platform/pki/applications/certificate-syncs/azure-key-vault.mdx
Store certificates in Azure Key Vault as certificate objects. Certificates synced to Key Vault can be used with Azure App Service, Application Gateway, and other Azure services.
<Info> Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Key Vault destination. </Info>certificates/listcertificates/getcertificates/importcertificates/delete 2. Select the **Azure Key Vault** option.
3. Configure the **Destination**:
- **Azure Connection**: The Azure Connection to authenticate with.
- **Vault Base URL**: The URL of your Azure Key Vault.
4. Configure the **Sync Options**:
- **Enable Removal of Expired/Revoked Certificates**: Remove certificates from the destination if they are no longer active.
- **Enable Versioning on Renewal**: Create a new version of the certificate on renewal instead of a new certificate.
- **Include Root CA**: Include the Root CA certificate in the chain.
- **Certificate Name Schema**: Customize certificate names using `{{certificateId}}` placeholder.
- **Auto-Sync Enabled**: Automatically sync certificates when changes occur.
<Tip>
**Soft Delete**: Removed certificates are soft-deleted. To resync them, you must **purge** or **recover** them in Azure.
</Tip>
5. Configure the **Details**:
- **Name**: The name of your sync (slug-friendly).
- **Description**: Optional description.
6. Select which certificates should be synced.
7. Review and click **Create Sync**.
</Tab>
<Tab title="API">
To create an **Azure Key Vault Certificate Sync**, make an API request to the [Create Azure Key Vault Certificate Sync](/api-reference/endpoints/pki/syncs/azure-key-vault/create) API endpoint.
### Sample request
<Note>
You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
If not provided, you can add certificates later using the certificate management endpoints.
</Note>
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/azure-key-vault \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-key-vault-cert-sync",
"applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example certificate sync",
"connectionId": "550e8400-e29b-41d4-a716-446655440000",
"destination": "azure-key-vault",
"isAutoSyncEnabled": true,
"certificateIds": [
"550e8400-e29b-41d4-a716-446655440000",
"660f1234-e29b-41d4-a716-446655440001"
],
"syncOptions": {
"canRemoveCertificates": true,
"enableVersioningOnRenewal": true,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}"
},
"destinationConfig": {
"vaultBaseUrl": "https://my-key-vault.vault.azure.net"
}
}'
```
### Sample response
```json Response
{
"pkiSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-key-vault-cert-sync",
"description": "an example certificate sync",
"destination": "azure-key-vault",
"isAutoSyncEnabled": true,
"destinationConfig": {
"vaultBaseUrl": "https://my-key-vault.vault.azure.net"
},
"syncOptions": {
"canRemoveCertificates": true,
"enableVersioningOnRenewal": true,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}"
},
"applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2023-01-01T00:00:00.000Z",
"updatedAt": "2023-01-01T00:00:00.000Z"
}
}
```
</Tab>
The Azure Key Vault Certificate Sync provides:
You can manually trigger certificate synchronization to Azure Key Vault using the sync certificates functionality. This is useful for:
To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.