Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, January 2, 2017 3:19 PM
Hi, I fully generated from azure a certificate for one of your webapp
I've read from the faq that it's not possible to share a certificate between different subscriptions but what about extracting/exporting the PFX file from the Key vault.
If it's not possible, is it for security reason or just because the functionality is not implemented yet (then do you have an ETA ?)
Best regards
Cyril
All replies (15)
Thursday, January 5, 2017 12:50 PM ✅Answered | 1 vote
Ok I think I'm starting to have a better grasp of how all this work.
So if you've generated a certificate through "App Server Certificate", this one will not be visible in the Azure KeyVault. But the Secret Value will be store in the vault (KeyVault -> Secrets -> CurrentVersion -> Show secret value)
From this value you can generate the certificate.
Here the script I used to get the pfx (you can then with openssl retrieve the privatekey and certificate)
$secretValueText = "MIIVTdIBA...EHAaCCFQAEghT8MIIU+....."
$kvSecretBytes = [System.Convert]::FromBase64String($secretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$password = 'YourPwd'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = "C:\SomePath\MyCert.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)
Monday, January 2, 2017 5:46 PM
Hi Cyril,
The Retrieve pfx file & add password back section in the linked article shows how application can pull the pfx of the certificate to the machine where it is going to consume the certificate. Let know if this is what you were looking for
Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem
Tuesday, January 3, 2017 2:08 PM
Hi thanks for answering,
I did try all the export part on this article.
In particular :
X509Certificate2Collection.Export
to retrieve the pfx file. But I only retrieve an almost empty pfx file (80 octet) vs almost 3ko for a regular pfx file.
The one thing I do not manage to do on this article is to get a listings of certificates
Get-AzureKeyVaultCertificate
I get this error "Get-AzureKeyVaultCertificate : Operation "list" is not allowed by vault policy"
Of course I did check the rights and it's allowed (get, list, update create ...)
Tuesday, January 3, 2017 11:17 PM
Hey Cyril,
Can you check if the access policies are set correctly on the vault. Get-AzureKeyVaultCertificate should work if the policies are set correctly. More details on this in this thread
Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem
Wednesday, January 4, 2017 9:57 AM
Hi, thanks again for your time!
I think I'm starting to get somewhere. I read the thread you mention and assign rights through command line which worked better. (strange thing, I don't see any rights management for certificate on azure portal, only for keys and secret)
Now I'm not getting any error message when calling Get-AzureKeyVaultCertificate but I'm not getting any data either.
I still did try to retrieve the PFX file and I'm still retrieving the wrong file.
Wednesday, January 4, 2017 5:00 PM
One more thing where I may have not been clear enough is that the certificate was made through App Service Certificate. But didn't see any forum on this particularly
Wednesday, January 4, 2017 5:16 PM
Hi Cyril,
AFAIK, The Azure portal currently supports only keys and secrets . Could you give more details on how you created the certificate in the vault? If the Get-AzureKeyVaultCertificate is not returning anything, it means there are no certificates in your vault. Can you create a new certificate as mentioned in the article
Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem
Thursday, January 5, 2017 9:06 AM
The certificate was generated through the "App Service Certificate" and then was stored (I think) in the Azure KeyVault. All this process is almost transparent for the end user (me) when trying to create a certificate with azure.
Monday, February 20, 2017 10:10 PM
When I try to do the $certCollection.Import... I'm getting this error. Has anyone else had the same problem?
Exception calling "Import" with "3" argument(s): "Cannot find the requested object.
"
At line:1 char:1
- $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptogr ...
-
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CryptographicException
Friday, May 12, 2017 7:21 PM
I get the same exception. Have you figured out how to get past this error?
Wednesday, May 24, 2017 9:03 PM
I get the same exception. Have you figured out how to get past this error?
Did you fix it?
Friday, July 7, 2017 10:15 PM
I also get this exact error. Anyone figured out what is wrong?
Wednesday, July 19, 2017 9:24 PM
When I try to do the $certCollection.Import... I'm getting this error. Has anyone else had the same problem?
Exception calling "Import" with "3" argument(s): "Cannot find the requested object.
"
At line:1 char:1
- $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptogr ...
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CryptographicException
Change the code like this and you are good to go!
$kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
$kvSecretBytes = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($kvSecret.SecretValueText))
$jsonCert = ConvertFrom-Json($kvSecretBytes)
$certBytes = [System.Convert]::FromBase64String($jsonCert.data)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($certBytes,$jsonCert.password,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Friday, July 21, 2017 5:13 PM
I also get this exact error. Anyone figured out what is wrong?
Change the code like this and you are good to go!
$kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
$kvSecretBytes = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($kvSecret.SecretValueText))
$jsonCert = ConvertFrom-Json($kvSecretBytes)
$certBytes = [System.Convert]::FromBase64String($jsonCert.data)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($certBytes,$jsonCert.password,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Thursday, June 21, 2018 2:13 PM
I am facing the same issue in $kvSecret.SecretValueText not getting any value.
Any idea no this??