Using a client certificate from a key vault to access a rest API RRS feed

  • Question

  • I am using the get secret to get the certificate from the key vault then I try to use the HTTP request to call the api.  What I am failing to understand is what to fill in the fields with on the HTTP request is it asking for a PFX and the Password.  I assume the PFX is the value returned from the get secret.  What is the password then?


    Thursday, September 5, 2019 11:11 PM

All replies

  • The HTTP Action requires the PFX as Base64 encoded content and the corresponding password as the string. And for that you would need both the Base64-encoded PFX file and its password stored in separate secrets which you would have to fetch and use.

    Usually, if you were to generate a PFX using openssl for example, you are prompted for a password. The same has to be used here as well.

    Friday, September 6, 2019 8:10 AM
  • hmm in this case I only have the cert as a secret as no PFX was generated.  We pulled the cert directly from the SSL  authority into the key vault using powershell.  Np password so this is going to be interesting.
    Friday, September 6, 2019 5:30 PM
  • PropertyRequiredValueDescription

    type     Yes " ClientCertificate"The authentication type to use for Secure Sockets Layer (SSL) client certificates. While self-signed certificates are supported, self-signed certificates for SSL aren't supported.

    pfx         Yes   "@parameters('pfxParam')The base64-encoded content from a Personal Information Exchange (PFX) file 

    password  Yes"@parameters('passwordParam')"The password for accessing the PFX file

    So I get this is required now so I am unsure how this would work with key vault now where you have a certificate call call "FOO" That you loaded into the key vault.  Do you use the get secret to get the "FOO" and use the value from that for the PFX and then you make a new key vault secret with name "BAR" that is "somehow" the password for the "FOO" and then use the value returned there in the Password?  

    Friday, September 6, 2019 11:10 PM
  • Any thoughts on getting around this using key vault value returned only?

    Monday, September 9, 2019 9:39 PM
  • You would still need the certificate and private key anyways. So, you could just create a pfx and store its base64-ed content as a secret with the password used to create it as a separate secret.

    You can create a PFX using the openssl CLI as mentioned here.

    For reference, here is the command

    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

    Wednesday, September 11, 2019 12:52 PM