Export Azure SSL certificate as pfx file

Question

I purchased a wild card certificate from azure. It sits right now in the Key Vault. I need to upload it to our other server which hosts one of our other applications for the same domain. There is no option to export the certificate as a.pfx file anywhere in azure portal.

Please help.

Answer 1

You can create a local PFX copy of Azure App Service Certificate using PowerShell.

Provide appropriate values from the following variables and save the script as copyasc.ps1 .

Variables:

$appServiceCertificateName = "ascdemo"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "user@microsoft.com"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"

copyasc.ps1:

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

Type the following commands in PowerShell console to execute the script:

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

You can find more details on Azure App Service Team Blog Creating a local PFX copy of App Service Certificate

If you have an App Service Certificate that you would like to use outside of Azure App Service ecosystem, then give this a try and let us know how it goes. If you run into any issues, please let us know on the Stackoverflow or on the Azure App Service forum.

Answer 2

It is a one button export now.

go to your app service certificate resource

click export certificate

it will tell you go to key vault and provide a link to it

click that link

now click the cert

now click download

that download is a pfx file

Answer 3

I've found @dmitry-kazakov 's answer to be helpful, but had to perform some minor updates to get it to work for me.

First I had to execute this command and assign it to $azureUserPrincipalName :

PS Azure:\> Get-Azureaduser

ObjectId                             DisplayName UserPrincipalName                                             UserType
--------                             ----------- -----------------                                             --------
89500455-0019-4059-8ef8-f1w32993z520 A User rmoore_roundlabinc.com#EXT#@rmooreroundlabinc.onmicrosoft.com Member

Then here is the updated script:

$appServiceCertificateName = "ascdemo" #This is the "Subject Name" in Azure, not "Name"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "user@microsoft.com"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"
$azureUserPrincipalName = "user@microsoft.com#EXT#@user@microsoft.com.onmicrosoft.com"

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource= Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2019-05-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureUserPrincipalName -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

Answer 4

Some docs are outdated, so here is a version of how to export it with PowerShell and Azure CLI on Mac + convert to PEM format for Nginx. Sharing just because it was painful for me, so hopefully it will be useful to someone:

pwsh
az keyvault secret show --vault-name KeyVaultName --name SecretName | tail -n 1 | cut -d ' ' -f 3 | pbcopy
echo $(pbpaste) > /tmp/pass
$secret=$(cat /tmp/pass)
$pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes("./appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword))
openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.pem -clcerts -nokeys -password pass:$(echo $pfxPassword)
openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.key_protected -nocerts -password pass:$(echo $pfxPassword)
openssl rsa -in /tmp/certificate.key_protected -out /tmp/certificate.key -passin pass:$(echo $pfxPassword)

The last three lines are taken from here and the middle part is a stripped-down version from the main guide