Generate Client Certificate with Azure Function and Azure Key Vault

Question

I have to store a Root Certificate in the Azure Key Vault. This step is fine I think.

The next step is an Azure Function from which I should create some Client Certificates with special IDs and the Root Certificate from the Key Vault. But I have no idea how to do that.

Could anybody help me with the Azure Function and how I can create a Client Certificate there? The Function should be written in .NET. In the web I almost found Powershell Skripts but that doesn't help me. Would be really great if somebody is able to help me out.

Thanks very much.

Answer 1

Here is a take on it that I got from this post by Jeff Hollinger. Here is some sample code you need in the function:

using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host;
using Microsoft.Extensions.Logging;

namespace KeyVault
{
    public static class MyFunctionClass
    {
        private static string superSecret = System.Environment.GetEnvironmentVariable("SuperSecret");

        [FunctionName("MyFunction")]
        public static void Run([EventHubTrigger("eventhub", Connection = "EventHubConnectionString")]string myEventHubMessage, ILogger log)
        {
            // DISCLAIMER: Never log secrets. Just a demo :)
            log.LogInformation($"Shhhhh.. it's a secret: {superSecret}");
        }
    }
}

Sounds like you have your secrets in the Key Vault already so all you are missing then is to add your Key Vault references to your function's App Settings. Here is a description from the Microsoft Azure-Functions-Key-Vault docs .

When running locally you can add the values to file such as a local.settings.json like so:

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "SuperSecret": "I love Azure Functions",
    "EventHubConnectionString": "Endpoint=sb://jeffs.servicebus.windows.net/;SharedAccessKeyName=MyFakeKey;SharedAccessKey=NotARealSecret"
  }
}