locked
How to retrieve a PFX file from a Key Vault RRS feed

  • Question

  • Hi, I fully generated from azure a certificate for one of your webapp

    I've read from the faq that it's not possible to share a certificate between different subscriptions but what about extracting/exporting the PFX file from the Key vault. 

    If it's not possible, is it for security reason or just because the functionality is not implemented yet (then do you have an ETA ?)

    Best regards

    Cyril

    Monday, January 2, 2017 3:19 PM

Answers

  • Ok I think I'm starting to have a better grasp of how all this work.

    So if you've generated a certificate through "App Server Certificate", this one will not be visible in the Azure KeyVault. But the Secret Value will be store in the vault (KeyVault -> Secrets -> CurrentVersion -> Show secret value)

    From this value you can generate the certificate. 

    Here the script I used to get the pfx (you can then with openssl retrieve the privatekey and certificate)

    $secretValueText = "MIIVTdIBA...EHAaCCFQAEghT8MIIU+....."
    
    $kvSecretBytes = [System.Convert]::FromBase64String($secretValueText)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
    $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $password = 'YourPwd'
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
    $pfxPath = "C:\SomePath\MyCert.pfx"
    [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

    • Marked as answer by Cyril Solog Thursday, January 5, 2017 1:12 PM
    Thursday, January 5, 2017 12:50 PM

All replies

  • Hi Cyril,

    The Retrieve pfx file & add password back section in the linked article shows how application can pull the pfx of the certificate to the machine where it is going to consume the certificate. Let know if this is what you were looking for


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Monday, January 2, 2017 5:46 PM
  • Hi thanks for answering,

    I did try all the export part on this article.

    In particular :

    X509Certificate2Collection.Export

    to retrieve the pfx file. But I only retrieve an almost empty pfx file (80 octet) vs almost 3ko for a regular pfx file.

    The one thing I do not manage to do on this article is to get a listings of certificates

    Get-AzureKeyVaultCertificate

    I get this error "Get-AzureKeyVaultCertificate : Operation "list" is not allowed by vault policy"

    Of course I did check the rights and it's allowed (get, list, update create ...)

    

    Tuesday, January 3, 2017 2:08 PM
  • Hey Cyril,

    Can you check if the access policies are set correctly on the vault. Get-AzureKeyVaultCertificate should work if the policies are set correctly. More details on this in this thread


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Tuesday, January 3, 2017 11:17 PM
  • Hi, thanks again for your time!

    I think I'm starting to get somewhere. I read the thread you mention and assign rights through command line which worked better. (strange thing, I don't see any rights management for certificate on azure portal, only for keys and secret)

    Now I'm not getting any error message when calling Get-AzureKeyVaultCertificate but I'm not getting any data either.

    I still did try to retrieve the PFX file and I'm still retrieving the wrong file.

    Wednesday, January 4, 2017 9:57 AM
  • One more thing where I may have not been clear enough is that the certificate was made through App Service Certificate. But didn't see any forum on this particularly 
    Wednesday, January 4, 2017 5:00 PM
  • Hi Cyril,

    AFAIK, The Azure portal currently supports only keys and secrets . Could you give more details on how you created the certificate in the vault? If the Get-AzureKeyVaultCertificate is not returning anything, it means there are no certificates in your vault. Can you create a new certificate as mentioned in the article


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Wednesday, January 4, 2017 5:16 PM
  • The certificate was generated through the "App Service Certificate" and then was stored (I think) in the Azure KeyVault. All this process is almost transparent for the end user (me) when trying to create a certificate with azure.
    Thursday, January 5, 2017 9:06 AM
  • Ok I think I'm starting to have a better grasp of how all this work.

    So if you've generated a certificate through "App Server Certificate", this one will not be visible in the Azure KeyVault. But the Secret Value will be store in the vault (KeyVault -> Secrets -> CurrentVersion -> Show secret value)

    From this value you can generate the certificate. 

    Here the script I used to get the pfx (you can then with openssl retrieve the privatekey and certificate)

    $secretValueText = "MIIVTdIBA...EHAaCCFQAEghT8MIIU+....."
    
    $kvSecretBytes = [System.Convert]::FromBase64String($secretValueText)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
    $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $password = 'YourPwd'
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
    $pfxPath = "C:\SomePath\MyCert.pfx"
    [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

    • Marked as answer by Cyril Solog Thursday, January 5, 2017 1:12 PM
    Thursday, January 5, 2017 12:50 PM
  • When I try to do the $certCollection.Import... I'm getting this error. Has anyone else had the same problem?

    Exception calling "Import" with "3" argument(s): "Cannot find the requested object.
    "
    At line:1 char:1
    + $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptogr ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : CryptographicException


    Monday, February 20, 2017 10:10 PM
  • I get the same exception.  Have you figured out how to get past this error?
    Friday, May 12, 2017 7:21 PM
  • I get the same exception.  Have you figured out how to get past this error?
    Did you fix it?
    Wednesday, May 24, 2017 9:03 PM
  • I also get this exact error. Anyone figured out what is wrong?

    Friday, July 7, 2017 10:15 PM
  • When I try to do the $certCollection.Import... I'm getting this error. Has anyone else had the same problem?

    Exception calling "Import" with "3" argument(s): "Cannot find the requested object.
    "
    At line:1 char:1
    + $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptogr ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : CryptographicException


    Change the code like this and you are good to go!

        $kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
        $kvSecretBytes = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($kvSecret.SecretValueText))
        $jsonCert = ConvertFrom-Json($kvSecretBytes)
        $certBytes = [System.Convert]::FromBase64String($jsonCert.data)
        $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
        $certCollection.Import($certBytes,$jsonCert.password,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)


    • Proposed as answer by Ali Khansari Wednesday, July 19, 2017 9:46 PM
    Wednesday, July 19, 2017 9:24 PM
  • I also get this exact error. Anyone figured out what is wrong?

    Change the code like this and you are good to go!

        $kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
        $kvSecretBytes = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($kvSecret.SecretValueText))
        $jsonCert = ConvertFrom-Json($kvSecretBytes)
        $certBytes = [System.Convert]::FromBase64String($jsonCert.data)
        $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
        $certCollection.Import($certBytes,$jsonCert.password,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

    Friday, July 21, 2017 5:13 PM
  • I am facing the same issue in $kvSecret.SecretValueText not getting any value.

    Any idea no this??

    Thursday, June 21, 2018 2:13 PM