Cannot import a P-256 elliptic curve certificate RRS feed

  • Question

  • I've been banging my head against this for a while.

    I have an X.509 certificate issued by a private certificate authority. It is based on a P-256 private key.

    It will not import into Azure Key Vault, seemingly no matter what I do. I have noted that EC keys are not supported in PEM format, so I've converted it into a single-certificate PFX file. 

    Importing the file in the portal just gives me a generic, "an error occurred" message. 

    Importing the file using Powershell gives me something more useful:

    Import-AzureKeyVaultCertificate : Elliptic Curve Cryptography Public Key Algorithm of the x509 certificate in the certificate chain is not supported.

    The certificate is P-256 with SHA256. 

    The issuing CA is a P-256 key with SHA512 hashing.

    The root ca is a P-521 key with SHA512 hashing.

    However, I'm not trying to import the issuing or root CA, just the server cert. The CAs don't exist in the PFX file.

    Any thoughts?

    Monday, May 13, 2019 7:49 PM

All replies

  • You still can't import via the Portal UI or PowerShell but you can import using the Azure CLI. Portal and PowerShell support for importing will arrive in a future update. Pleas use this link to use the Azure CLI cmdlet using --curve parameter to import key with ECC.

    Here are the links that discuss the curves supported:

    Monday, May 13, 2019 11:12 PM
  • Thank you, but this is for creating/importing a key, not a certificate. I am trying to store a certificate so that my application can reference it. 

    Is a key the only thing I can store in the key vault, not a certificate? It's an ugly workflow to store the certificate outside of the key vault, store the private key inside, then have the application pull both from separate areas and combine them.

    Tuesday, May 14, 2019 1:28 PM
  • Further note, I can't seem to import this even using the REST API. 

      "value": "<base64 encoded PFX>",
      "pwd": "<PFX password>",
      "policy": {
        "key_props": {
          "exportable": true,
          "kty": "EC",
          "crv": "P-256",
          "key_size": 256,
          "reuse_key": false
        "secret_props": {
          "contentType": "application/x-pkcs12"


        "error": {
            "code": "BadParameter",
            "message": "Elliptic Curve Cryptography Public Key Algorithm of the x509 certificate in the certificate chain is not supported."

    Tuesday, May 14, 2019 3:46 PM
  • No, you can import certificates to Azure Key Vault but for ECC certificates I suggest you to please go through the blog which provides you details on importing the same.

    Thursday, June 27, 2019 9:58 PM