Why does getting a certificate from Azure Key Vault require it to be stored as a secret?

Question

Blogs like the following https://blogs.technet.microsoft.com/neales/2017/06/26/getting-a-private-certificate-from-key-vault/

Seem to retrive the secret? Does it not matter if it's "stored" as a certificate or not?

Answer 1

It depends on what you are planning to do with the certificate. You could update your question with details about the expected workflow you want to support.

But basically a certificate can be stored as a file. You can see more details (C#) to get inspired on how to do that after the certificate is loaded into a variable.

Exporting a Certificate as BASE-64 encoded .cer

Update

Security considerations to take into account. If you see the certificate stored in the azure key vault as a secret and you want to limit the access to it, then you have to consider how your PowerShell scripts will store the needed credentials for authenticate against the KeyVault.

If you plan on running the script unattended / scheduled without user interaction, you will have to store some kind of credentials on the machine that needs to run the script. BetterCredentials is a great PowerShell native module for storing credentials on the local machine.

I would recommend that you create an Azure Service Principal (App Registration / Registered App), that will get only enough permissions to get the certificate from the KeyVault. The created Service Principal details should then be stored locally on the machine and you should load those credentials first and use them for connecting to the KeyVault.

Example code that should be capable of loading a Service Principal details from the BetterCredentials and sign into Azure:

BetterCredentials\Get-Credential -UserName <application ID> -Store
$azureTenantId = <tenant ID>
$Cred = BetterCredentials\Get-Credential -UserName <application ID>
Add-AzureRmAccount -Credential $Cred -TenantId $azureTenantId -ServicePrincipal