使用 Azure.Security.KeyVault.Secrets 从 Azure KeyVault 获取证书

Question

I am fetching a certificate from Azure Key Vault using the code below

 private X509Certificate2 GetClientCertificate(string thumbprint)
        {
            var _keyVaultName = _configuration["CPC:KeyVaultUrl"];
            var connectionString = _configuration["CPC:KeyVaultCN"];
            var azureServiceTokenProvider = new AzureServiceTokenProvider(connectionString);
            var _client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            var secretName = _configuration["CPC:ECCCertName"];
            var secret = _client.GetSecretAsync(_keyVaultName, secretName).Result;
            var privateKeyBytes = Convert.FromBase64String(secret.Value);
            var certificate = new X509Certificate2(privateKeyBytes, string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
            return certificate;
        }

It uses the Microsoft.Azure.KeyVault library which is deprecated to be replaced by Azure.Security.KeyVault.

How can I translate this code to make it work with the new library. (using connection string with appkey instead of password)

Many thanks

Answer 1

This is the code I use to get a Certificate with its private key from Azure Key Vault, hope it can help you with your problem:

/// <summary>
/// Load a certificate (with private key) from Azure Key Vault
///
/// Getting a certificate with private key is a bit of a pain, but the code below solves it.
/// 
/// Get the private key for Key Vault certificate
/// https://github.com/heaths/azsdk-sample-getcert
/// 
/// See also these GitHub issues: 
/// https://github.com/Azure/azure-sdk-for-net/issues/12742
/// https://github.com/Azure/azure-sdk-for-net/issues/12083
/// </summary>
/// <param name="config"></param>
/// <param name="certificateName"></param>
/// <returns></returns>
public static X509Certificate2 LoadCertificate(IConfiguration config, string certificateName)
{
    string vaultUrl = config["Vault:Url"] ?? "";
    string clientId = config["Vault:ClientId"] ?? "";
    string tenantId = config["Vault:TenantId"] ?? "";
    string secret = config["Vault:Secret"] ?? "";

    Console.WriteLine($"Loading certificate '{certificateName}' from Azure Key Vault");

    var credentials = new ClientSecretCredential(tenantId: tenantId, clientId: clientId, clientSecret: secret);
    var certClient = new CertificateClient(new Uri(vaultUrl), credentials);
    var secretClient = new SecretClient(new Uri(vaultUrl), credentials);

    var cert = GetCertificateAsync(certClient, secretClient, certificateName);

    Console.WriteLine("Certificate loaded");
    return cert;
}


/// <summary>
/// Helper method to get a certificate
/// 
/// Source https://github.com/heaths/azsdk-sample-getcert/blob/master/Program.cs
/// </summary>
/// <param name="certificateClient"></param>
/// <param name="secretClient"></param>
/// <param name="certificateName"></param>
/// <returns></returns>
private static X509Certificate2 GetCertificateAsync(CertificateClient certificateClient,
                                                        SecretClient secretClient,
                                                        string certificateName)
{

    KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);

    // Return a certificate with only the public key if the private key is not exportable.
    if (certificate.Policy?.Exportable != true)
    {
        return new X509Certificate2(certificate.Cer);
    }

    // Parse the secret ID and version to retrieve the private key.
    string[] segments = certificate.SecretId.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries);
    if (segments.Length != 3)
    {
        throw new InvalidOperationException($"Number of segments is incorrect: {segments.Length}, URI: {certificate.SecretId}");
    }

    string secretName = segments[1];
    string secretVersion = segments[2];

    KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion);

    // For PEM, you'll need to extract the base64-encoded message body.
    // .NET 5.0 preview introduces the System.Security.Cryptography.PemEncoding class to make this easier.
    if ("application/x-pkcs12".Equals(secret.Properties.ContentType, StringComparison.InvariantCultureIgnoreCase))
    {
        byte[] pfx = Convert.FromBase64String(secret.Value);
        return new X509Certificate2(pfx);
    }

    throw new NotSupportedException($"Only PKCS#12 is supported. Found Content-Type: {secret.Properties.ContentType}");
}

}