How to Get Private Key from Certificate in an Azure Key Vault?

Question

I have a Certificate in an Azure Key Vault that I would like to extract a private key from.

According to the Microsoft Docs :

When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret.

However, I have been unsuccessful in extracting the private key from this. Here is an example of some python code I tried:

pem_data  = get_secret('https://keyvault.azure.net/', 'x509-cert')
pem_data = '-----BEGIN CERTIFICATE----- ' + pem_data + ' -----END CERTIFICATE-----'
pem_data = pem_data.encode()
key = x509.load_pem_x509_certificate(pem_data,  backend=default_backend())
private_key = key.private_key()

This however, will error saying it cannot load the certificate.

Answer 1

The pem_data you get from the key vault is already in pem format, and you can ony get the public key.

pem_data = client.get_secret("https://XX.vault.azure.net/", "XX", "XX")
pem_data = pem_data.value.encode()

cert = load_pem_x509_certificate(pem_data,  backend=default_backend())
public_key = cert.public_key()

If you want to get the private key, you can use OpenSSL:

import OpenSSL.crypto

pem_data = client.get_secret("https://XX.vault.azure.net/", "XX", "XX")
pem_data = pem_data.value.encode()
crtObj = crypto.load_certificate(crypto.FILETYPE_PEM, pem_data)
pubKeyObject = crtObj.get_pubkey()
priKeyString = crypto.dump_privatekey(crypto.FILETYPE_PEM, pubKeyObject)
print(priKeyString)

Note:

Please make sure that you have indicated that the key is exportable when you create the certificate. If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret. Refer to this document for more details.

Answer 2

There's now a sample for azure-keyvault-certificates that shows how to get the private key from a certificate using pyOpenSSL :

import base64
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from cryptography.hazmat.primitives.serialization import pkcs12

vault_url = "https://{vault-name}.vault.azure.net"
cert_name = "certificate name"
credential = DefaultAzureCredential()

secret_client = SecretClient(vault_url=vault_url, credential=credential)
certificate_secret = secret_client.get_secret(name=cert_name)

# Now we can extract the private key and public certificate from the secret using the cryptography
# package.
# This example shows how to parse a certificate in PKCS12 format since it's the default in Key Vault,
# but PEM certificates are supported as well. With a PEM certificate, you could use load_pem_private_key
# in place of load_key_and_certificates.
cert_bytes = base64.b64decode(certificate_secret.value)
private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates(
    data=cert_bytes,
    password=None
)

More documentation on the new Azure SDK packages for Key Vault (that replace azure-keyvault ) can be found here:

• azure-keyvault-certificates (Migration guide)
• azure-keyvault-keys (Migration guide)
• azure-keyvault-secrets (Migration guide)

(I work on the Azure SDK in Python)