stackoom
  简体   繁体   中英

Azure Key Vault download certificate with private key

 原文  2020-12-01 19:25:59       powershell/ certificate/ azure-keyvault

Question

I am trying to download the certificates that I have on several KeyVaults including their private keys. Through Azure Portal I can do it without issues just going to the KeyVault , selecting the certificate and clicking on "Download in PFX/PEM format"

As I have to repeat the same operation on several keyvaults I was looking for an automated way to do it. So far I arrive to the following:

$objCertificate = (Get-AzKeyVaultCertificate -VaultName <Key Vault> -Name <Certificate Name>).Certificate
$bytCertificate = $objCertificate.Export('pfx',<Password>)
$strCertificate = [System.Convert]::ToBase64String($bytCertificate)
$strPath = Join-Path $env:TEMP "$($objCertificate.Subject).pfx"
$bytCertificate | Set-Content -Path $strPath -Force -Encoding Byte

The issue is that it download the certificate with the Public Key only and I also need the Private Key included in it on the same way as when I download it through the portal. Do you know what I could be missing?

3 answers

solution1
 10 ACCPTED  2020-12-01 20:35:20

To get the private key you need to get it as a secret (yes, its strange), I don't have the answer in PowerShell but I hope my C# code below can give you some hints on how to do it.

        /// <summary>
        /// Load a certificate (with private key) from Azure Key Vault
        ///
        /// Getting a certificate with private key is a bit of a pain, but the code below solves it.
        /// 
        /// Get the private key for Key Vault certificate
        /// https://github.com/heaths/azsdk-sample-getcert
        /// 
        /// See also these GitHub issues: 
        /// https://github.com/Azure/azure-sdk-for-net/issues/12742
        /// https://github.com/Azure/azure-sdk-for-net/issues/12083
        /// </summary>
        /// <param name="config"></param>
        /// <param name="certificateName"></param>
        /// <returns></returns>
        public static X509Certificate2 LoadCertificate(IConfiguration config, string certificateName)
        {
            string vaultUrl = config["Vault:Url"] ?? "";
            string clientId = config["Vault:ClientId"] ?? "";
            string tenantId = config["Vault:TenantId"] ?? "";
            string secret = config["Vault:Secret"] ?? "";

            Console.WriteLine($"Loading certificate '{certificateName}' from Azure Key Vault");

            var credentials = new ClientSecretCredential(tenantId: tenantId, clientId: clientId, clientSecret: secret);
            var certClient = new CertificateClient(new Uri(vaultUrl), credentials);
            var secretClient = new SecretClient(new Uri(vaultUrl), credentials);

            var cert = GetCertificateAsync(certClient, secretClient, certificateName);

            Console.WriteLine("Certificate loaded");
            return cert;
        }


        /// <summary>
        /// Helper method to get a certificate
        /// 
        /// Source https://github.com/heaths/azsdk-sample-getcert/blob/master/Program.cs
        /// </summary>
        /// <param name="certificateClient"></param>
        /// <param name="secretClient"></param>
        /// <param name="certificateName"></param>
        /// <returns></returns>
        private static X509Certificate2 GetCertificateAsync(CertificateClient certificateClient,
                                                                SecretClient secretClient,
                                                                string certificateName)
        {

            KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);

            // Return a certificate with only the public key if the private key is not exportable.
            if (certificate.Policy?.Exportable != true)
            {
                return new X509Certificate2(certificate.Cer);
            }

            // Parse the secret ID and version to retrieve the private key.
            string[] segments = certificate.SecretId.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries);
            if (segments.Length != 3)
            {
                throw new InvalidOperationException($"Number of segments is incorrect: {segments.Length}, URI: {certificate.SecretId}");
            }

            string secretName = segments[1];
            string secretVersion = segments[2];

            KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion);

            // For PEM, you'll need to extract the base64-encoded message body.
            // .NET 5.0 preview introduces the System.Security.Cryptography.PemEncoding class to make this easier.
            if ("application/x-pkcs12".Equals(secret.Properties.ContentType, StringComparison.InvariantCultureIgnoreCase))
            {
                byte[] pfx = Convert.FromBase64String(secret.Value);
                return new X509Certificate2(pfx);
            }

            throw new NotSupportedException($"Only PKCS#12 is supported. Found Content-Type: {secret.Properties.ContentType}");
        }
    }
}

solution2
 1  2020-12-16 15:48:10

You have to download the certificate as a secret rather than as a certificate. From https://azidentity.azurewebsites.net/post/2018/05/17/azure-key-vault-app-service-certificates-finding-downloading-and-converting :

Connect-AzAccount

$vaultName  = "<NameOfKeyVault>"
$keyVaultSecretName = "<NameOfTheSecretWhereCertificateIsStored>"

$secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName

$pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})

$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\KeyVaultCertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))

Write-Host "Created an App Service Certificate copy at: $currentDirectory\KeyVaultCertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

solution3
 0  2022-08-03 09:31:34

Thanks for the example Torre!

For future reference, there is an issue with you code example, you mention PEM, but use Psk12. I think that should be something like:

if (secret.Properties.ContentType.Equals(CertificateContentType.Pkcs12.ToString(), StringComparison.InvariantCultureIgnoreCase))
{
  return Convert.FromBase64String(secret.Value);
}

// For PEM, we need to extract the base64-encoded message body.
if (secret.Properties.ContentType.Equals(CertificateContentType.Pem.ToString(), StringComparison.InvariantCultureIgnoreCase))
{
  return Convert.FromBase64String(secret.Value);
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure certificate in Key Vault not valid for app service Azure - App Service Certificate in Key Vault is blank - Unable to download the pfx using powershell / az cli Retrieving SSL certificate from Azure key vault to Azure app service How to get Azure Key Vault secret using powershell with certificate auth? How to Get the Azure key vault certificate activation date using powershell Import Azure key vault certificate to app service using powershell? What is the best alternative to renew a certificate stored in Azure Key Vault? Importing Certificate with private key Change password for Key Vault in Azure Azure Key Vault - Deletion of Key in PowerShell Script
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM