Managed SSL Certificates (by 3SR)

What it does
This solution deploys an Azure Key Vault (RBAC mode) and a Storage Account with an sslcerts container in your subscription, then 3SR issues your Organization-Validated (OV) SSL/TLS certificates via the GlobalSign Managed SSL API and pushes them directly into your Key Vault. Renewal is automated. Certificates and private keys never leave your tenant.

Key benefits

• Tenant-only certificate storage: certificates and private keys live in your Azure Key Vault under your RBAC. 3SR's automation reads/writes via least-privilege roles (Key Vault Certificates Officer + Storage Blob Data Contributor on the managed RG only).

• OV trust level via GlobalSign: Organization-Validated certificates issued by GlobalSign, suitable for production-grade public-facing endpoints, superior to free Domain-Validated alternatives.

• Mutualized vetting: vet your organization once with KBIS / corporate documents, vet each DNS domain once via TXT record. Subsequent issuances and renewals on a known domain happen in minutes.

• Automated renewal: 3SR detects upcoming expirations and re-issues / pushes new certificates into your Key Vault before expiry. Consuming services (App Gateway, Front Door, App Service) read updated certificates via Key Vault references with no manual intervention.

How it works (high level)

1. Initial onboarding (one-time): you provide vetting documents to 3SR (KBIS, articles of association, address proof, authorized signatory). 3SR registers your organization with GlobalSign Managed SSL. Duration on GlobalSign side: typically 2-5 business days.

2. Domain vetting (per parent domain): GlobalSign verifies DNS ownership via a TXT record. Duration: usually under one business day per domain.

3. Marketplace deployment: an Azure Key Vault and a Storage Account are provisioned in your tenant in a managed resource group. You drop the JSON list of CN to manage in the sslcerts container.

4. Issuance and renewal: 3SR's automation reads the JSON list, calls GlobalSign Managed SSL via the 3SR relay, and pushes the issued certificates into your Key Vault. Renewal is automatic before expiry.

Typical use cases

• Public-facing Azure App Gateway, Front Door, or App Service that needs OV certificates with mutualized renewal.

• Regulated industries (defense, banking, healthcare) requiring sovereign certificate storage and audit trail.

• Mid-market / enterprise customers managing tens to hundreds of certificates across multiple subscriptions and wanting to externalize the chore without losing control of the keys.

Security & permissions

• Customer Key Vault is RBAC-mode, soft-delete enabled, purge-protection on. 3SR receives Key Vault Certificates Officer + Storage Blob Data Contributor strictly scoped to the managed resource group (least privilege, anti-pattern L13 corrected).

• Vetting is mandatory: no certificate can be issued for a domain without prior DNS vetting and organization vetting.

• 3SR does not extract private keys from your Key Vault. Operations are limited to creation and renewal under your RBAC consent.

Get started
Contact to start organization vetting (provide KBIS and signatory information). After vetting completes (2-5 business days on GlobalSign side), deploy this offer from Azure portal, drop your CN list in the sslcerts container, and 3SR issues the certificates into your Key Vault.