Several support cases have come in where an Azure customer purchases an App Service Certificate via the portal and then wants to download the certificate from the Key Vault and use it in other systems. Three things commonly occur in these cases:
- The customer is unable to find the App Service Certificate in the Key Vault
- The customer is unable to use a certificate downloaded from the Key Vault because the password does not work
- The customer needs the certificate in .cer/.key format rather than .pfx
Luckily, I have the solution for all three of these scenarios.
- You are unable to find the App Service Certificate in the Key Vault
Many customers who are using Azure App Services do not have much experience with an Azure Key Vault, but most every website has a need for an SSL certificate. Going through the process of purchasing an Azure App Service Certificate requires you to store the certificate in a Key Vault, which is how most people become first familiar with the Key Vault.
After purchasing the certificate, customers sometimes want to download it for use elsewhere, so they go into the Key Vault, look under the certificates blade, and find the following (the Key Vault pictured here does in fact hold an App Service Certificate):
This is definitely confusing to the person unfamiliar with Key Vault. The reason behind this is simple: when the programming for App Service Certificates was being done, certificates as objects that could be stored within the Key Vault was not available. Since then, Certificates are now available, but the process behind the App Service Certificate purchase has not changed yet. This is coming in the future.
Customers should be able to find their App Service Certificates in the Secrets blade, and I do see the secret of type pkcs12 (certificate) stored there:
- You are unable to use a certificate downloaded from the Key Vault because the password does not work
Now that you've found the certificate, you want to download it and use it on another machine. This should be simply done by using this button:
It's easy to download this certificate as a .pfx file. You do so, but when you want to install it, you have no idea what the password is:
In fact, even if you uploaded the .pfx as a secret yourself, you may find that the password that you do know does not work. The solution is to download the certificate (as a secret) from the Key Vault using Powershell, then convert that secret into an actual certificate with its own password.
Login-AzureRmAccount
$vaultName = "<NameOfKeyVault>"
$keyVaultSecretName = "<NameOfTheSecretWhereCertificateIsStored>"
$secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName
$pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\KeyVaultCertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\KeyVaultCertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
Now you have the certificate and its password for use anywhere you want.
- You need the certificate in .cer/.key format rather than .pfx
There are times when you want the certificate in a .cer and .key format, such as for use on the Apache web server. This can be accomplished by the use of OpenSSL. A Windows version of the open-source binaries can be found here: http://slproweb.com/products/Win32OpenSSL.html.
Once installed, it is only necessary to run the following two commands at a command prompt in order to convert your files:
openssl pkcs12 -in KeyVaultCertificate.pfx -nocerts -out KVCert.key
openssl pkcs12 -in KeyVaultCertificate.pfx -clcerts -nokeys -out KVCert.cer
Note that your .pfx file may have a different name. You should also plan on having the certificate in the same folder as the openssl command, or use the full path to the certificate.
You will be required to use the password for the .pfx when converting. Here's a successful run of these commands:
Notice that there's no "private key" associated with this certificate - that's because the .cer file does not contain the key - the whole purpose of this exercise.
I hope this helps you out when using the Azure Key Vault! Please follow us on Twitter and retweet!
@WinDevMatt @AzIdentity