The Azure Key Vault ECC Certificate FAQ

The Error

A common request from you, our valued Microsoft customer, is that Key Vault support Elliptical Curve Cryptography (ECC) Certificates which are useful in payment schemes such as Apple Pay.  ECC was not a supported format for Key Vault for a long time, and even now, there is no option to create an ECC certificate in the portal.  But you need a self-signed ECC certificate for Apple Pay, so you think "Let's just use OpenSSL!"

The first relevant hit that is returned on Bing when searching on "Create a Self Signed ECC Certificate" is this one.  The instructions are clear and easy to follow and use OpenSSL, exactly as you wanted.  So you create your ECC Certificate and happily go into the portal. Unfortunately, when uploading the certificate, you see this error message:



And now you're confused.  You can clearly see that your Access Policy includes import:


To you, there's clearly a bug.  So you call Azure Support and get a hold of one of our awesome engineers.  Like a good engineer who's trying to get you up and running, she says "Let's try Powershell instead and see what happens."  Of course you do and now you see this:

"Elliptic Curve Cryptography Public Key Algorithm of the X509 certificate in the certificate chain is not supported."  

Well gosh - that's kind of a showstopper. It's pretty clear what it says. But it's not true, and you know it because you found this documentation right on the Microsoft website for Key Vault and the CreateCertificate REST API:


So now you need to open a support ticket with Microsoft in order to straighten this out.  You're not the first person to do this and I know this because I asked the Key Vault product team and got the correct instructions on how to make it work.  So here is the information that I got from a smart SDE on the Key Vault team:

AKV ECC FAQ

  • Do we support ECC Certificates?
    Yes
  • What ECC Curves do we support?
    Documented here [NIST P-256, NIST P-384, NIST P-521, SECG SECP256K1]
    Note: There is a bug preventing SECP256K1 curve type. We are working on this. 
  • What’s the minimum REST API version with which ECC is supported?
    7.0 
  • Do we have .NET SDK support?
    Yes – documented here 
  • Do have support in Azure Portal, Azure CLI, Azure PowerShell? 
    Azure Portal – Not at this time
    Azure PowerShell – Not at this time
    Azure CLI – Yes 
  • I created an ECC PFX with Open SSL. But it does not work why?
    By default, Open SSL certs do not have:
    1. PFX created have keys stating both signature and key exchange while key vault expects signature
    2. Key Usage on the certs

    In order to create the certificate using OpenSSL, please use the commands below with the attached config file to generate the PFX. Supported values of curves for OpenSSL commands are:  prime256v1, secp384r1, secp521r1, secp256k1 
  • What about PEM with Open SSL?
    We are investigating this as of the time of this post.

  • What version of Azure CLI does this work with?
    azure-cli                         2.0.65

  • What is the command in CLI to import an ECC Certificate?
    Here's an example:
    C:\Users\MSmall>az keyvault certificate import --vault-name KM-KV-WU-WU --file "C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer\contoso.com.prime256v1.cert.pfx" --password "Removed" --name OpenSslPrime256v105231249
    {
      "attributes": {
        "created": "2019-05-23T19:52:08+00:00",
        "enabled": true,
        "expires": "2020-05-22T19:17:06+00:00",
        "notBefore": "2019-05-23T19:17:06+00:00",
        "recoveryLevel": "Recoverable+Purgeable",
        "updated": "2019-05-23T19:52:08+00:00"
      },
      "cer": "MIICrTCCAlOgAwIBAgIJAPld31A8MNWHMAoGCCqGSM49BAMCMIGVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1JlZG1vbmQxDTALBgNVBAoMBE1TRlQxKDAmBgNVBAMMH3ByaW1lMjU2djEua2V5dXNhZ2UuY29udG9zby5jb20xLjAsBgkqhkiG9w0BCQEWH3ByaW1lMjU2djEua2V5dXNhZ2VAY29udG9zby5jb20wHhcNMTkwNTIzMTkxNzA2WhcNMjAwNTIyMTkxNzA2WjCBlTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdSZWRtb25kMQ0wCwYDVQQKDARNU0ZUMSgwJgYDVQQDDB9wcmltZTI1NnYxLmtleXVzYWdlLmNvbnRvc28uY29tMS4wLAYJKoZIhvcNAQkBFh9wcmltZTI1NnYxLmtleXVzYWdlQGNvbnRvc28uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg8PZJez0RhKKwg4mSP1CTcj1Eq6pD1D4O0sQEQ5FU5D1jdJlnPHFh+IEaj9OhE962uY6LeDJ2NawhjLmJ1aSgaOBiTCBhjAdBgNVHQ4EFgQU/Sfb6nQKnl0+U/MCTNZZ8BF1zOgwHwYDVR0jBBgwFoAU/Sfb6nQKnl0+U/MCTNZZ8BF1zOgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMAoGCCqGSM49BAMCA0gAMEUCIF6WZuu3xWmwNLqVdr9xkRR24G4m8VOSZFbV9b2oRGCLAiEAy75ffrZ6p13hQvLPbCV9LdyqcBiCwpCWK5eR4U8c3Rc=",
    


Specific commands needed to create an ECC Certificate using OpenSSL

openssl ecparam -name prime256v1 -out contoso.com.prime256v1.param.pem
openssl ecparam -in contoso.com.prime256v1.param.pem -text -noout

openssl req -config keyUsage.conf -new -x509 -sha256 -newkey ec:contoso.com.prime256v1.param.pem -nodes -keyout contoso.com.prime256v1.key.pem -days 365 -out contoso.com.prime256v1.cert.pem
openssl x509 -in contoso.com.prime256v1.cert.pem -text -noout

openssl pkcs12 -export -keysig -out contoso.com.prime256v1.cert.pfx -inkey contoso.com.prime256v1.key.pem -in contoso.com.prime256v1.cert.pem

Example of Creating an ECC Certificate using OpenSSL

C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl ecparam -name prime256v1 -out contoso.com.prime256v1.param.pem

C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl ecparam -in contoso.com.prime256v1.param.pem -text -noout
ASN1 OID: prime256v1
NIST CURVE: P-256

C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl req -config keyUsage.conf -new -x509 -sha256 -newkey ec:contoso.com.prime256v1.param.pem -nodes -keyout contoso.com.prime256v1.key.pem -days 365 -out contoso.com.prime256v1.cert.pem
Generating an EC private key
writing new private key to 'contoso.com.prime256v1.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [WA]:WA
Locality Name (eg, city) [Redmond]:Redmond
Organization Name (eg, company) [MSFT]:MSFT
Common Name (e.g. server FQDN or YOUR name) [prime256v1.keyusage.contoso.com]:prime256v1.keyusage.contoso.com
Email Address [prime256v1.keyusage@contoso.com]:prime256v1.keyusage@contoso.com

C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl x509 -in contoso.com.prime256v1.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f9:5d:df:50:3c:30:d5:87
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = WA, L = Redmond, O = MSFT, CN = prime256v1.keyusage.contoso.com, emailAddress = prime256v1.keyusage@contoso.com
        Validity
            Not Before: May 23 19:17:06 2019 GMT
            Not After : May 22 19:17:06 2020 GMT
        Subject: C = US, ST = WA, L = Redmond, O = MSFT, CN = prime256v1.keyusage.contoso.com, emailAddress = prime256v1.keyusage@contoso.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:83:c3:d9:25:ec:f4:46:12:8a:c2:0e:26:48:fd:
                    42:4d:c8:f5:12:ae:a9:0f:50:f8:3b:4b:10:11:0e:
                    45:53:90:f5:8d:d2:65:9c:f1:c5:87:e2:04:6a:3f:
                    4e:84:4f:7a:da:e6:3a:2d:e0:c9:d8:d6:b0:86:32:
                    e6:27:56:92:81
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FD:27:DB:EA:74:0A:9E:5D:3E:53:F3:02:4C:D6:59:F0:11:75:CC:E8
            X509v3 Authority Key Identifier:
                keyid:FD:27:DB:EA:74:0A:9E:5D:3E:53:F3:02:4C:D6:59:F0:11:75:CC:E8

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature
            Netscape Comment:
                OpenSSL Generated Certificate
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:5e:96:66:eb:b7:c5:69:b0:34:ba:95:76:bf:71:
         91:14:76:e0:6e:26:f1:53:92:64:56:d5:f5:bd:a8:44:60:8b:
         02:21:00:cb:be:5f:7e:b6:7a:a7:5d:e1:42:f2:cf:6c:25:7d:
         2d:dc:aa:70:18:82:c2:90:96:2b:97:91:e1:4f:1c:dd:17

C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl pkcs12 -export -keysig -out contoso.com.prime256v1.cert.pfx -inkey contoso.com.prime256v1.key.pem -in contoso.com.prime256v1.cert.pem
Enter Export Password:
Verifying - Enter Export Password:

C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>dir
Volume in drive C has no label.
Volume Serial Number is 74A4-87BA

Directory of C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer

05/23/2019  12:43 PM    <DIR>          .
05/23/2019  12:43 PM    <DIR>          ..
05/23/2019  12:17 PM             1,006 contoso.com.prime256v1.cert.pem
05/23/2019  12:43 PM             1,224 contoso.com.prime256v1.cert.pfx
05/23/2019  12:16 PM               246 contoso.com.prime256v1.key.pem
05/23/2019  12:16 PM                78 contoso.com.prime256v1.param.pem
05/23/2019  12:10 PM             1,502 keyUsage.conf
               5 File(s)          4,056 bytes
               2 Dir(s)  22,093,053,952 bytes free

Contents of the file "keyUsage.conf"

[ req ]
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]
countryName                 = Country Name (2 letter code)
countryName_default         = US
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = WA
localityName                = Locality Name (eg, city)
localityName_default        = Redmond
organizationName            = Organization Name (eg, company)
organizationName_default    = MSFT
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = prime256v1.keyusage.contoso.com
emailAddress                = Email Address
emailAddress_default        = prime256v1.keyusage@contoso.com


# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
basicConstraints        = CA:FALSE
# One/All of the below values are required
# DigitalSignature, CrlSign, KeyCertSign, NonRepudiation
keyUsage                = digitalSignature
nsComment               = "OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier    = hash
basicConstraints        = CA:FALSE
# One/All of the below values are required
# DigitalSignature, CrlSign, KeyCertSign, NonRepudiation
keyUsage                = digitalSignature
nsComment               = "OpenSSL Generated Certificate"


I hope the above helps.  Please reach out to @AzIdentity on Twitter for questions or comments.

 

Comments (4) -

Hi,
I'm doing exactly what you're doing with OpenSSL, instead I've signed my certificate with a self signed root certificate (this is required for Application Gateway v2).
When I try to import it using the Azure CLI I get the following error:
Unsupported key operation(s): "encrypt", "decrypt", "wrapKey", "unwrapKey". Supported values are "sign", "verify".

I have checked all the rights, and I should be able to do the operations in the error.
Is there something I'm missing.

Hope you can help.

That's because ECC keys are only used for sign and verify.  They are not generally used for encryption/decryption.

Per Wikipedia:
Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme.

en.wikipedia.org/wiki/Elliptic-curve_cryptography

ITSourcePro 9/19/2019 9:02:40 PM

I was also able to generate a certificate request out of Windows using the "ECDSA_secP256r1,Microsoft Software Key Storage Provider", which did work with importing the Cert into Azure via the CLI per your instructions.

The problem we are having is even though it successfully got imported via the CLI. The Certificate Subject, Issuer, Serial Number, Subject Alternative Name, X.509 SHA-1 Thumbprint (in hex), and the Key/Secret Identifier field in the Azure GUI for the Cert are blank.

Are you experiencing the same problem? We know all the fields from the cert itself and figured out the Key/Secret URLs but were just wondering if when you did the above process were the fields filled out for you? We know the cert works, as we applied it to our Fabric Service Cluster. Just would be nice if those fields were filled for reference sake.

Thanks and great write up on this!!

Jason - usually a cert request in Windows will include that information. Please email me directly with the process you used and I can look into it.

Add comment