locked
Export pfx from key vault no password requested RRS feed

  • Question

  • Good morning all,

    I am trying to bind an SSL that I purchased through my azure account. I have done the following for my web app

    1. created custom domain
    2. verified custom domain
    3. custom domain works with http and https however receive not secure message
    4. purchased ssl
    5. export cert pfx through key vault
    6. export does not ask to set a password
    7. click add binding to custom domain
    8. browse for pfx and select correct exported file
    9. requires password which I do not have because it did not ask me to set one.

    So this is where I sit and im not sure exactly how to get to the next step so that I can actually bind my custom domain name with my ssl. I thought it would be easier to purchase the ssl through azure 

    Thanks!

    Saturday, November 2, 2019 12:29 PM

Answers

  • In case the certificate is present in the Azure Key Vault, a typical scenario is that the application would need to pull the pfx of the certificate to the machine where it is going to consume the certificate. Here is an example on how an application can retrieve the pfx from Azure Key Vault to consume it.

    $secretName = "TestCert" 
    $kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName 
    $kvSecretBytes =[System.Convert]::FromBase64String($kvSecret.SecretValueText)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
    $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)  





    If the certificate file needs to be stored on the hard disk then it is good practice to encrypt it with a password.

    #Get the file created 
    $password = '******' 
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password) 
    $pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx" [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)


    Get public portion of Certificate from Certificates Endpoint

    Type following to retrieve the certificate or the public portion and store in a file with *.cer extension.

    $cert = Get-AzureKeyVaultCertificate -VaultName 
    $vaultName -Name $certificateName 
    $filePath = [Environment]::GetFolderPath("Desktop") + "\MyCert.cer" 
    $certBytes = $cert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) [System.IO.File]::WriteAllBytes($filePath, $certBytes)

    Hope this helps. In case there are any more queries around this, please feel free to update us so that we can help you better.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, November 6, 2019 6:01 AM

All replies

  • I was pointed in the direction to do the following however I am not sure where I need to find the pfx location. It is currently in the key vault so I a dont know what location that would be for the following command

    New-AzWebAppSSLBinding `
        -WebAppName <app_name> `
        -ResourceGroupName <resource_group_name> `
        -Name <dns_name> `
        -CertificateFilePath <path_to_PFX_file> `
        -CertificatePassword <PFX_password> `
        -SslState SniEnabled

    Sunday, November 3, 2019 4:10 PM
  • IslandFP, Ideally when you create a certificate request, on that machine a pair of public and private key gets generated. The private key resides on the machine and the public key is sent to the Certificate Authority to get signed. Once the public key is signed and sent back, usually it has to be installed on that same machine where the certificate request was generated so that it can bind up automatically with the private key that is residing on that same machine. Now once that bind happens, you can export that certificate in .pfx format and protect the private key using a password, which you provide while exporting the certificate with the private key.

    In case the certificate is present in the Azure Key Vault, a typical scenario is that the application would need to pull the pfx of the certificate to the machine where it is going to consume the certificate. Here is an example on how an application can retrieve the pfx from Azure Key Vault to consume it.

    $secretName = "TestCert" 
    $kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName 
    $kvSecretBytes =[System.Convert]::FromBase64String($kvSecret.SecretValueText)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
    $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)  





    If the certificate file needs to be stored on the hard disk then it is good practice to encrypt it with a password.

    #Get the file created 
    $password = '******' 
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password) 
    $pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx" [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)


    Get public portion of Certificate from Certificates Endpoint

    Type following to retrieve the certificate or the public portion and store in a file with *.cer extension.

    $cert = Get-AzureKeyVaultCertificate -VaultName 
    $vaultName -Name $certificateName 
    $filePath = [Environment]::GetFolderPath("Desktop") + "\MyCert.cer" 
    $certBytes = $cert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) [System.IO.File]::WriteAllBytes($filePath, $certBytes)

    Hope this helps. In case there are any more queries around this, please feel free to update us so that we can help you better.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, November 4, 2019 8:34 AM
  • What's the difference between:

    Get-AzKeyVaultCertificate 

    Get-AzureKeyVaultCertificate

    Shouldn't we be using the Az module for this?

    Tuesday, November 5, 2019 11:07 PM
  • I ended up doing the following and was able to export and get the password $appServiceCertificateName = "" $resourceGroupName = "" $azureLoginEmailId = "" $subscriptionId = "" Login-AzureRmAccount Set-AzureRmContext -SubscriptionId $subscriptionId $ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01" $keyVaultId = "" $keyVaultSecretName = "" $certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty $certificateName = $certificateProperties[0].Name $keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId $keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName $keyVaultIdParts = $keyVaultId.Split("/") $keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1] $keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5] Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get $secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName $pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_}) $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath [io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword)) Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx" Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required." Write-Host "PFX password: $pfxPassword"
    Wednesday, November 6, 2019 12:46 AM
  • Hello Gavin G Stevens,

    Yes, you can use the Az Powershell module too. I just had this ready and hence shared the same.

    Wednesday, November 6, 2019 6:00 AM
  • In case the certificate is present in the Azure Key Vault, a typical scenario is that the application would need to pull the pfx of the certificate to the machine where it is going to consume the certificate. Here is an example on how an application can retrieve the pfx from Azure Key Vault to consume it.

    $secretName = "TestCert" 
    $kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName 
    $kvSecretBytes =[System.Convert]::FromBase64String($kvSecret.SecretValueText)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
    $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)  





    If the certificate file needs to be stored on the hard disk then it is good practice to encrypt it with a password.

    #Get the file created 
    $password = '******' 
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password) 
    $pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx" [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)


    Get public portion of Certificate from Certificates Endpoint

    Type following to retrieve the certificate or the public portion and store in a file with *.cer extension.

    $cert = Get-AzureKeyVaultCertificate -VaultName 
    $vaultName -Name $certificateName 
    $filePath = [Environment]::GetFolderPath("Desktop") + "\MyCert.cer" 
    $certBytes = $cert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) [System.IO.File]::WriteAllBytes($filePath, $certBytes)

    Hope this helps. In case there are any more queries around this, please feel free to update us so that we can help you better.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, November 6, 2019 6:01 AM
  • Hey IslandFP,

    I'm following up on this issue, can you please mark one of the responses as answered if we were able to answer your question? If not, please let us know anymore additional information you were able to get and let us know that you still need help. We may need to escalate this to support for more help on this issue.

    Thanks,

    - Frank Hu

    Wednesday, November 13, 2019 11:33 PM
  • I'm following up on this again, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Also please remember to post future questions on the new Q&A Forums here : https://docs.microsoft.com/answers/index.html Thanks

    Tuesday, November 26, 2019 7:39 PM
  • I'm following up on this please let us know if there are anymore questions. As it looks like this issue has been resolved within the scope of the MSDN Thread Question, I will be marking the response as answer. Please let me know if your question has not been answered, and I can go ahead and unmark it as answer or feel free to mark it as unanswer yourself. Also please remember to post future questions on the new Q&A Forums here : https://docs.microsoft.com/answers/index.html Thanks
    Wednesday, December 11, 2019 6:55 PM