Azure Key Vault - App Service Certificates: Download Using CLI

Some customers use CLI instead of Powershell as they are working in non-Windows environments.  A support case came in where a customer asked how to download an App Service Certificate from his Key Vault using CLI alone.  The Support Engineer who owned the support case downloaded the certificate using the certificate download CLI command:

# az keyvault certificate download -f certificatename.pfx -n edgeui --vault-name keyvaultname -e DER

What he noticed was that this command only downloads the public part of the certificate.  This is documented:

Of course, the customer wants to be able to download the entire certificate, both public and private. I've never used CLI previously, but set out to find the right way to download this certificate.  It was far easier than I expected, and it is accomplished by downloading the certificate as a secret, like I described in my previous post.  The exact command is:

# az keyvault secret download --file <path>\<nameofcert>.pfx --name <NameOfSecretOrCertificate> --vault-name <VaultName> 

It is important to note that the downloaded PFX has a blank password.  It will install easily and contain the private key. 

I hope this helps you out when using the Azure Key Vault!  Please follow us on Twitter and retweet!
@WinDevMatt @AzIdentity



Add comment