Thankfully it is very easy to import pre-existing self-signed certificates into KeyVault. But... what if you don't have a pre-existing self-signed certificate?
It is possible to have KeyVault generate the new self-signed certificate for you inside of your KeyVault. One and done. No import. No messy certificate residue left behind at your admin console.
The trick to getting KeyVault to do this for you is to use "Self" as the issuer name in your policy file.
Here is a simple example of how to generate the self-signed certificate using the Azure CLI:
azure keyvault certificate policy create --issuer-name Self --subject-name "CN=www.contoso.com" --file policy.json --validity-in-months 12 azure keyvault certificate create --vault-name mykeyvault --certificate-name mycert --certificate-policy-file policy.json
Here is an example of how to do it using Powershell (as found in the Quick Start document below):
$policy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=www.contoso.com" -IssuerName Self -ValidityInMonths 12 Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $policy
If you want to dive deeper, or if what you really want is a full fledged SSL certificate created in similar fashion, here is some more documentation: