从 Node.js 中的 Azure 密钥库获取正确的 pfx 文件

Question

I am trying to get a pfx file from the azure keyvault instead of placing it on local machine. I intend to use this to create a HTTPS server.

However when I read it from the keyvault and write to a pfx file on the local. The file seems to have changed slightly in size and it is no longer works to generate certificates even with the right password. I tried the same on java and does not seem platform specific.

    client.getSecret("https://sl-dev-keys.vault.azure.net/secrets/newcertpfx/888175c395264e6096bf0a02ef73de1a", function(getErr, getSecretBundle) {    
    if (getErr) throw getErr;
    console.log('\n\nSecret ', getSecretBundle.value, ' is retrieved.\n');

    var fs = require('fs');
    var fileContent = getSecretBundle.value;

    let writeStream = fs.createWriteStream('test.pfx');

    // write some data with a base64 encoding
    writeStream.write(fileContent, 'base64');

    // the finish event is emitted when all data has been flushed from the stream
    writeStream.on('finish', () => {  
        console.log('wrote all data to file');
    });

    // close the stream
    writeStream.end('end');

Answer 1

Here is an example how to setup a node.js https server with the certificate fetched as a sercret from Azure keyvault.

import { SecretClient } from '@azure/keyvault-secrets';
import https from 'https';

...

const client = new SecretClient(url, credential);
const secret = await client.getSecret(certificateName);

const options = {
  pfx: new Buffer(secret.value, 'base64')
};

https.createServer(options, app).listen(PORT);

Answer 2

If the certificate file needs to be stored on the hard disk then you may need to encrypt it with a password.

For reference, here's a PowerShell script for retrieving pfx file & adding password back:

$kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

$password = '******'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

For more infomation, pelase refer to Get started with Azure Key Vault certificates .