[英]Azure certificate in Key Vault not valid for app service
下面的脚本将生成一个自签名证书,创建一个受密码保护的pfx并将证书添加到密钥库中。 当我在脚本之后运行ARM模板时,它失败并显示以下错误。 但是,当我在UI(Azure门户)中手动上传pfx并输入正确的密码时,ARM模板将成功部署。 任何想法如何使它工作?
PowerShell代码(在门户中上载生成的pfx时,不会引发任何错误):
# Generate the certificate in the local store
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=$certificateName" -KeyExportPolicy Exportable
# Get the raw value of the certificate
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Export-PfxCertificate -Cert $cert -Password $certPasswordSecure -FilePath "d:/temp/SelfSigned.pfx"
$secret = ConvertTo-SecureString -String $keyValue -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretNameCertificate -SecretValue $keyValue -ContentType $secretContentType
错误:
New-AzureRmResourceGroupDeployment : 21:22:36 - Resource Microsoft.Web/certificates 'testCertificate' failed with message '{
"Code": "BadRequest",
"Message": "The parameter KeyVault Certificate has an invalid value.",
"Target": null,
"Details": [
{
"Message": "The parameter KeyVault Certificate has an invalid value."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"Code": "BadRequest",
"Message": "The parameter KeyVault Certificate has an invalid value.",
"ExtendedCode": "51008",
"MessageTemplate": "The parameter {0} has an invalid value.",
"Parameters": [
"KeyVault Certificate"
],
"InnerErrors": null
}
}
],
"Innererror": null
}'
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzureRmResourceGroupDeployment : 21:23:11 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations
for details. Please see https://aka.ms/arm-debug for usage details.
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzureRmResourceGroupDeployment : 21:23:11 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations
for details. Please see https://aka.ms/arm-debug for usage details.
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
ARM证书资源:
{
"type": "Microsoft.Web/certificates",
"name": "testCertificate",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('masterKeyVaultId')]",
"keyVaultSecretName": "[parameters('servicePrincipalCertSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('appServicePlanName'))]"
}
},
也许您缺少上载的证书策略? 但是实际上,如果您要生成新的证书,那么为什么还要在本地生成证书,只需在密钥库本身中生成证书即可。
$credential = Get-Credential
login-azurermaccount -Credential $credential
$vaultName = 'my-vault-full-of-keys'
$certificateName = 'my-new-cert'
$policy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=mememe.me" -IssuerName Self -ValidityInMonths 120
Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $policy
将 SSL 证书从 Azure 密钥保管库检索到 Azure 应用服务
[英]Retrieving SSL certificate from Azure key vault to Azure app service
使用 powershell 将 Azure 密钥保管库证书导入应用服务?
[英]Import Azure key vault certificate to app service using powershell?
Azure - Key Vault 中的应用服务证书为空白 - 无法使用 powershell / az cli 下载 pfx
[英]Azure - App Service Certificate in Key Vault is blank - Unable to download the pfx using powershell / az cli
如何使用Powershell和证书身份验证获取Azure Key Vault机密?
[英]How to get Azure Key Vault secret using powershell with certificate auth?
如何使用 powershell 获取 Azure 密钥保管库证书激活日期
[英]How to Get the Azure key vault certificate activation date using powershell
更新存储在 Azure Key Vault 中的证书的最佳替代方法是什么?
[英]What is the best alternative to renew a certificate stored in Azure Key Vault?
为什么从Azure Key Vault获取证书要求将其存储为秘密?
[英]Why does getting a certificate from Azure Key Vault require it to be stored as a secret?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.