Frequently Asked Questions¶
Common questions about CertifyClouds.
General¶
What is CertifyClouds?¶
CertifyClouds is an Azure Key Vault security platform that helps you:
- Discover all Key Vaults across your subscriptions
- Monitor secret expiration dates
- Automate secret rotation (PRO tier)
- Sync secrets to other clouds (PRO tier)
- Track compliance with security policies
How is it deployed?¶
CertifyClouds runs as a Docker container in your Azure environment. You control where it runs and what data it accesses. Nothing is hosted on our servers except the license validation endpoint.
What Azure permissions does it need?¶
- Reader role on subscriptions you want to scan
- Key Vault Secrets User (or equivalent) on Key Vaults for reading metadata
- Additional permissions for Automation features (see Azure Permissions)
Security & Privacy¶
Can you see my secrets?¶
No. CertifyClouds only reads secret metadata (names, expiration dates, enabled status). We never read or access the actual secret values.
What data leaves my network?¶
Only two things:
- License validation: Your license key is validated against
license.certifyclouds.com - Update checks: Version info to check for updates (optional)
All your scan data, secrets metadata, and audit logs stay in your PostgreSQL database.
Is my data encrypted?¶
- In transit: All Azure API calls use TLS
- At rest: Your PostgreSQL database - configure encryption as needed
- License validation: Uses TLS to our servers
Can I run it air-gapped?¶
Yes, with limitations:
- Contact us for an offline license file
- Update checks will not work
- You'll need to manually download updates
Licensing¶
What license tiers are available?¶
| Tier | Features | Subscriptions |
|---|---|---|
| STARTER | Discovery + Compliance + Alerts | Max 4 |
| PRO | All features including Rotation + Sync | Unlimited |
Evaluation: Request a 30-day PRO license for evaluation.
How do I get a license?¶
- Contact sales@certifyclouds.com
- Choose your tier
- Receive your license key
- Add
CERTIFYCLOUDS_LICENSE_KEY=<your-key>to your environment
What happens when my license expires?¶
After expiration:
- Access to the application is blocked
- Contact sales@certifyclouds.com to renew
What if the license server is unreachable?¶
CertifyClouds caches your validated license for 7 days. If our server is down, you can continue operating normally during this grace period.
Can I change tiers?¶
Yes. Contact support@certifyclouds.com with your new requirements. We'll issue an updated license key.
Features¶
What is Assets Discovery?¶
Discovery scans Azure Key Vaults:
- Discovers all Key Vaults across subscriptions
- Inventories all secrets, keys, and certificates
- Identifies expiration dates
- Tracks changes over time
What is Secret Rotation? (PRO)¶
Rotation automates App Registration secret rotation:
- Detects secrets approaching expiration
- Generates new secrets in Azure AD
- Updates linked Key Vault secrets
- Maintains audit trail
What is Multi-Cloud Sync? (PRO)¶
Sync provides multi-cloud disaster recovery:
- Azure → AWS Secrets Manager
- Azure → AWS Parameter Store
- Azure → GCP Secret Manager
- Scheduled or manual synchronization
What is Dependencies? (PRO)¶
Dependencies maps credential usage:
- Discovers Azure resources using Key Vault credentials
- Maps dependencies across 11+ resource types
- Analyzes blast radius before rotation
- Performs coordinated full-stack rotation
What compliance checks are included?¶
- CIS Azure Key Vault Benchmark
- SOC 2 Type II
- ISO 27001
- NIST 800-53 Rev. 5
- Azure Security Benchmark v3
- Custom rules (PRO)
Can I export reports?¶
Yes, compliance reports support:
- JSON export for automation
- CSV export for spreadsheets
- PDF export for documentation
Troubleshooting¶
"Failed to authenticate with Azure"¶
- Verify Managed Identity is enabled on your VM/container
- Check Reader role is assigned on subscriptions
- Ensure network access to Azure Resource Manager
- Try
az loginmanually to test credentials
"Cannot access Key Vault"¶
- Run the setup script:
./setup-certifyclouds-access.sh --principal-id <id> - Check if Key Vault has firewall rules - add your IP/subnet
- Verify RBAC vs Access Policy configuration
"License validation failed"¶
- Check
CERTIFYCLOUDS_LICENSE_KEYis set correctly - Verify network access to
license.certifyclouds.com - Check if license has expired
- Contact support@certifyclouds.com
Scans are slow¶
- Check container resources (CPU/memory)
- Reduce concurrent workers if hitting rate limits
- Consider scanning fewer subscriptions
- Review Azure API throttling
How do I reset my admin password?¶
If locked out, use the built-in admin reset tool:
You'll be prompted to enter a new temporary password. Then log in and change your password in Settings → Users.
Security
Change the temporary password immediately after logging in. The reset tool logs the action to the audit trail.
Support¶
How do I get support?¶
- Email: support@certifyclouds.com
Response times:
- STARTER: Business hours (24-48 hour response)
- PRO: Priority support (4-8 hour response)
How do I report a bug?¶
Email support@certifyclouds.com with:
- Your license tier
- CertifyClouds version (
/healthendpoint) - Steps to reproduce
- Relevant log output
- Expected vs actual behavior
How do I request a feature?¶
Email feedback@certifyclouds.com. We prioritize based on customer demand and roadmap alignment.
Upgrades¶
How do I upgrade CertifyClouds?¶
# Import new version to ACR
az acr import --name YOUR_ACR \
--source docker.io/certifyclouds/certifyclouds:v3.1.0 \
--image certifyclouds:v3.1.0
# Update container
az containerapp update \
--name cc-uks-prd \
--resource-group rg-cc-uks-prd \
--image YOUR_ACR.azurecr.io/certifyclouds:v3.1.0
Are upgrades automatic?¶
No. Upgrades are manual for control. We recommend:
- Testing upgrades in non-production first
- Reading release notes before upgrading
- Taking database backups before major upgrades
Still have questions?¶
Contact us at support@certifyclouds.com and we'll be happy to help!