locked
Unable to upload pfx file to Azure Key Vault RRS feed

  • Question

  • I get the error below when trying to upload a pfx file as a secret to Azure KeyVault:

    Something went wrong parsing your certificate. Please provide a valid pfx file containing a certificate.

     Is it possible to get more details what it doesn't like about the pfx file or what's failing to parse? Using OpenSSL I can successfully inspect the file (openssl pkcs12 -info -in cer.pfx)

    Monday, January 23, 2017 7:10 PM

Answers

  • Hi James,

    I had the same issue. My certificate was good. Azure KeyVault UI is showing this error when I am entering my certificate password. I think they have some validation which failed when we enter password which have some specific characters (like /). I tried to upload my certificate using PowerShell command and it worked fine for me. Please use the following PowerShell script to upload your certificate.

    $pfxFilePath = 'C:\myPFXCert.pfx'
    $pwd = '12345'
    $flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
    $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
    $collection.Import($pfxFilePath, $pwd, $flag)
    $pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
    $clearBytes = $collection.Export($pkcs12ContentType)
    $fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
    $secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
    $secretContentType = 'application/x-pkcs12'
    Set-AzureKeyVaultSecret -VaultName '<<key vault name>>' -Name '<<Secrent name>>' -SecretValue $Secret -ContentType $secretContentType

    Regards,

    Hardik



    Hardik

    • Proposed as answer by Hardik.Patel Thursday, January 26, 2017 7:01 AM
    • Marked as answer by James Hayward2 Wednesday, February 1, 2017 5:34 PM
    Thursday, January 26, 2017 7:01 AM

All replies

  • Hi James,

    I had the same issue. My certificate was good. Azure KeyVault UI is showing this error when I am entering my certificate password. I think they have some validation which failed when we enter password which have some specific characters (like /). I tried to upload my certificate using PowerShell command and it worked fine for me. Please use the following PowerShell script to upload your certificate.

    $pfxFilePath = 'C:\myPFXCert.pfx'
    $pwd = '12345'
    $flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
    $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
    $collection.Import($pfxFilePath, $pwd, $flag)
    $pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
    $clearBytes = $collection.Export($pkcs12ContentType)
    $fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
    $secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
    $secretContentType = 'application/x-pkcs12'
    Set-AzureKeyVaultSecret -VaultName '<<key vault name>>' -Name '<<Secrent name>>' -SecretValue $Secret -ContentType $secretContentType

    Regards,

    Hardik



    Hardik

    • Proposed as answer by Hardik.Patel Thursday, January 26, 2017 7:01 AM
    • Marked as answer by James Hayward2 Wednesday, February 1, 2017 5:34 PM
    Thursday, January 26, 2017 7:01 AM
  • I do confirm the above

    CIGNUM

    Monday, February 13, 2017 3:58 PM
  • HI, I am using mac OS and when I get the error for any password, for example even if I have the password as 12345678.

    Also, I ran your script and it gave error when trying to read the file which is: "error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure". I think this is because it is reading file as a text file rather than a binary file. Can you update the script to solve these types of errors as well?

    Saturday, February 25, 2017 3:48 PM
  • I had a problem with the UI method too so I am trying the powershell method.

    Am I meant to set up the secret name first ?

    When I try to do this I get an error 
    Set-AzureKeyVaultSecret : The 'Set-AzureKeyVaultSecret' command was found in the module 'AzureRM.KeyVault', but the module could not be loaded. For more information, 
    run 'Import-Module AzureRM.KeyVault'.
    At line:11 char:1
    + Set-AzureKeyVaultSecret -VaultName 'MyAzureFunctionsVault' -Name 'Xe ...
    + ~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Set-AzureKeyVaultSecret:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule


    Sunday, September 16, 2018 3:08 AM
  • This issue occures when you exported the certificate as EAS256-SHA256. If you export it as TripleDES-SHA1 it works as expected. 

    With a side-note this is probably not what you want.


    Boudewijn Plomp | Conclusion FIT

    Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer". This posting is provided "AS IS" with no warranties, and confers no rights.


    Saturday, January 11, 2020 4:24 PM