Two year limit on AD certificate

Category: azure disk encryption


RileyS on Mon, 15 Feb 2016 01:09:20

Two questions?

1) Why is there a two-year limit for the certificate?

2)  What happens at the end of the two years and what needs to be done to continue?


Thomas W Shinder - MSFT on Mon, 15 Feb 2016 14:32:17

Hi Riley -

The two year limit is discussed in this PKI best practices article on the Azure Security blog:

Let me see what I can find out regarding details of what you need to do prior to certificate expiration.



BrettBartrum on Fri, 02 Dec 2016 18:56:50

Any update on what to do when the Azure AD Application (AAD) client secret expires? Thomas, could dive into some more detail how this functions? I want to make sure I understand how this technology works. From my understanding:

Keyvault has access to the Azure AD Application via Set-AzureRmKeyVaultAccessPolicy
Azure VM's gain access to the keyvault via the AAD Client ID/Secret (Secret Expires 1-2 years)
Keyvault will store and respond with Bitlocker keys (Never Expires)
So if my understanding is correct a new client secret will need to be generated and assigned to the bitlocker VM's. Otherwise the VM's won't boot after aad key expiration?