Azure Key Vault - App Service Certificates: Finding, Downloading and Converting

Several support cases have come in where an Azure customer purchases an App Service Certificate via the portal and then wants to download the certificate from the Key Vault and use it in other systems.  Three things commonly occur in these cases:

  1. The customer is unable to find the App Service Certificate in the Key Vault
  2. The customer is unable to use a certificate downloaded from the Key Vault because the password does not work
  3. The customer needs the certificate in .cer/.key format rather than .pfx

Luckily, I have the solution for all three of these scenarios.

  1. You are unable to find the App Service Certificate in the Key Vault
    Many customers who are using Azure App Services do not have much experience with an Azure Key Vault, but most every website has a need for an SSL certificate.  Going through the process of purchasing an Azure App Service Certificate requires you to store the certificate in a Key Vault, which is how most people become first familiar with the Key Vault.

    After purchasing the certificate, customers sometimes want to download it for use elsewhere, so they go into the Key Vault, look under the certificates blade, and find the following (the Key Vault pictured here does in fact hold an App Service Certificate):

    This is definitely confusing to the person unfamiliar with Key Vault. The reason behind this is simple:  when the programming for App Service Certificates was being done, certificates as objects that could be stored within the Key Vault was not available.  Since then, Certificates are now available, but the process behind the App Service Certificate purchase has not changed yet.  This is coming in the future.

    Customers should be able to find their App Service Certificates in the Secrets blade, and I do see the secret of type pkcs12 (certificate) stored there:

  2. You are unable to use a certificate downloaded from the Key Vault because the password does not work
    Now that you've found the certificate, you want to download it and use it on another machine.  This should be simply done by using this button:

    It's easy to download this certificate as a .pfx file.  You do so, but when you want to install it, you have no idea what the password is:

    In fact, even if you uploaded the .pfx as a secret yourself, you may find that the password that you do know does not work.  The solution is to download the certificate (as a secret) from the Key Vault using Powershell, then convert that secret into an actual certificate with its own password. 

    $vaultName  = "<NameOfKeyVault>"
    $keyVaultSecretName = "<NameOfTheSecretWhereCertificateIsStored>"
    $secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName
    $pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
    $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [io.file]::WriteAllBytes(".\KeyVaultCertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
    Write-Host "Created an App Service Certificate copy at: $currentDirectory\KeyVaultCertificate.pfx"
    Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
    Write-Host "PFX password: $pfxPassword" 

    Now you have the certificate and its password for use anywhere you want.

  3. You need the certificate in .cer/.key format rather than .pfx
    There are times when you want the certificate in a .cer and .key format, such as for use on the Apache web server.  This can be accomplished by the use of OpenSSL.  A Windows version of the open-source binaries can be found here:

    Once installed, it is only necessary to run the following two commands at a command prompt in order to convert your files:
    openssl pkcs12 -in KeyVaultCertificate.pfx -nocerts -out KVCert.key
    openssl pkcs12 -in KeyVaultCertificate.pfx -clcerts -nokeys -out KVCert.cer
    Note that your .pfx file may have a different name.  You should also plan on having the certificate in the same folder as the openssl command, or use the full path to the certificate.

    You will be required to use the password for the .pfx when converting.  Here's a successful run of these commands:

    Notice that there's no "private key" associated with this certificate - that's because the .cer file does not contain the key - the whole purpose of this exercise.

    I hope this helps you out when using the Azure Key Vault!  Please follow us on Twitter and retweet!
    @WinDevMatt @AzIdentity

Comments (7) -

This was a great post!  I had been trying to automate retrieving a cert from Key Vault to then be used by VSTS, but I couldn't figure out a way to add the password from PowerShell (I was using bash/openssl to handle that). Now I've got it way more streamlined.  Thanks for sharing!

Matthew Small 9/14/2018 1:19:19 PM

Glad you liked it!

Hi Matthew,

Great post.

Just one extra question, will KeyVault ever support exporting pfx with a password in the future?

Having the support to create and work with certificates in KeyVault is a good and save concept, better then just storing it as a generic secret and having to deserialize the certificate each time you want to work with it like encrypting/decrypting data. Missing the password coupling with the certificate pushes you in these scenario's when you also want to use these certificates in other trusted applications or maybe IOT devices linked to IOTHub. You also have to create your own certificates now instead of letting KeyVault manage the creation.

Mike Ricketts 12/3/2018 4:47:01 PM

This is great - very helpful, easy to use and well put together. Thank you very much for your help!

Thank you very much. I helped me a lot!!!

Thank you very much. This has incredibly helpful.

At least, I can now get back some of my weekend Smile

Awesome post were great, was searching for a solution for ages till i found this.

some minor changes i had to make to different modules in PS were
login-AzureRMaccount  >  Login-AzAccount
Get-AzureKeyVaultSecret ? Get-AzKeyVaultSecret
If that helps anyone else troubleshooting


Add comment