The Error
A common request from you, our valued Microsoft customer, is that Key Vault support Elliptical Curve Cryptography (ECC) Certificates which are useful in payment schemes such as Apple Pay. ECC was not a supported format for Key Vault for a long time, and even now, there is no option to create an ECC certificate in the portal. But you need a self-signed ECC certificate for Apple Pay, so you think "Let's just use OpenSSL!"
The first relevant hit that is returned on Bing when searching on "Create a Self Signed ECC Certificate" is this one. The instructions are clear and easy to follow and use OpenSSL, exactly as you wanted. So you create your ECC Certificate and happily go into the portal. Unfortunately, when uploading the certificate, you see this error message:
And now you're confused. You can clearly see that your Access Policy includes import:
To you, there's clearly a bug. So you call Azure Support and get a hold of one of our awesome engineers. Like a good engineer who's trying to get you up and running, she says "Let's try Powershell instead and see what happens." Of course you do and now you see this:
"Elliptic Curve Cryptography Public Key Algorithm of the X509 certificate in the certificate chain is not supported."
Well gosh - that's kind of a showstopper. It's pretty clear what it says. But it's not true, and you know it because you found this documentation right on the Microsoft website for Key Vault and the CreateCertificate REST API:
So now you need to open a support ticket with Microsoft in order to straighten this out. You're not the first person to do this and I know this because I asked the Key Vault product team and got the correct instructions on how to make it work. So here is the information that I got from a smart SDE on the Key Vault team:
AKV ECC FAQ
- Do we support ECC Certificates?
Yes
- What ECC Curves do we support?
Documented here [NIST P-256, NIST P-384, NIST P-521, SECG SECP256K1]
Note: There is a bug preventing SECP256K1 curve type. We are working on this.
- What’s the minimum REST API version with which ECC is supported?
7.0
- Do we have .NET SDK support?
Yes – documented here
- Do have support in Azure Portal, Azure CLI, Azure PowerShell?
Azure Portal – Not at this time
Azure PowerShell – Not at this time
Azure CLI – Yes
- I created an ECC PFX with Open SSL. But it does not work why?
By default, Open SSL certs do not have:
1. PFX created have keys stating both signature and key exchange while key vault expects signature
2. Key Usage on the certs
In order to create the certificate using OpenSSL, please use the commands below with the attached config file to generate the PFX. Supported values of curves for OpenSSL commands are: prime256v1, secp384r1, secp521r1, secp256k1
- What about PEM with Open SSL?
We are investigating this as of the time of this post.
- What version of Azure CLI does this work with?
azure-cli 2.0.65
- What is the command in CLI to import an ECC Certificate?
Here's an example:
C:\Users\MSmall>az keyvault certificate import --vault-name KM-KV-WU-WU --file "C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer\contoso.com.prime256v1.cert.pfx" --password "Removed" --name OpenSslPrime256v105231249
{
"attributes": {
"created": "2019-05-23T19:52:08+00:00",
"enabled": true,
"expires": "2020-05-22T19:17:06+00:00",
"notBefore": "2019-05-23T19:17:06+00:00",
"recoveryLevel": "Recoverable+Purgeable",
"updated": "2019-05-23T19:52:08+00:00"
},
"cer": "MIICrTCCAlOgAwIBAgIJAPld31A8MNWHMAoGCCqGSM49BAMCMIGVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1JlZG1vbmQxDTALBgNVBAoMBE1TRlQxKDAmBgNVBAMMH3ByaW1lMjU2djEua2V5dXNhZ2UuY29udG9zby5jb20xLjAsBgkqhkiG9w0BCQEWH3ByaW1lMjU2djEua2V5dXNhZ2VAY29udG9zby5jb20wHhcNMTkwNTIzMTkxNzA2WhcNMjAwNTIyMTkxNzA2WjCBlTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdSZWRtb25kMQ0wCwYDVQQKDARNU0ZUMSgwJgYDVQQDDB9wcmltZTI1NnYxLmtleXVzYWdlLmNvbnRvc28uY29tMS4wLAYJKoZIhvcNAQkBFh9wcmltZTI1NnYxLmtleXVzYWdlQGNvbnRvc28uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg8PZJez0RhKKwg4mSP1CTcj1Eq6pD1D4O0sQEQ5FU5D1jdJlnPHFh+IEaj9OhE962uY6LeDJ2NawhjLmJ1aSgaOBiTCBhjAdBgNVHQ4EFgQU/Sfb6nQKnl0+U/MCTNZZ8BF1zOgwHwYDVR0jBBgwFoAU/Sfb6nQKnl0+U/MCTNZZ8BF1zOgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMAoGCCqGSM49BAMCA0gAMEUCIF6WZuu3xWmwNLqVdr9xkRR24G4m8VOSZFbV9b2oRGCLAiEAy75ffrZ6p13hQvLPbCV9LdyqcBiCwpCWK5eR4U8c3Rc=",
Specific commands needed to create an ECC Certificate using OpenSSL
openssl ecparam -name prime256v1 -out contoso.com.prime256v1.param.pem
openssl ecparam -in contoso.com.prime256v1.param.pem -text -noout
openssl req -config keyUsage.conf -new -x509 -sha256 -newkey ec:contoso.com.prime256v1.param.pem -nodes -keyout contoso.com.prime256v1.key.pem -days 365 -out contoso.com.prime256v1.cert.pem
openssl x509 -in contoso.com.prime256v1.cert.pem -text -noout
openssl pkcs12 -export -keysig -out contoso.com.prime256v1.cert.pfx -inkey contoso.com.prime256v1.key.pem -in contoso.com.prime256v1.cert.pem
Example of Creating an ECC Certificate using OpenSSL
C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl ecparam -name prime256v1 -out contoso.com.prime256v1.param.pem
C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl ecparam -in contoso.com.prime256v1.param.pem -text -noout
ASN1 OID: prime256v1
NIST CURVE: P-256
C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl req -config keyUsage.conf -new -x509 -sha256 -newkey ec:contoso.com.prime256v1.param.pem -nodes -keyout contoso.com.prime256v1.key.pem -days 365 -out contoso.com.prime256v1.cert.pem
Generating an EC private key
writing new private key to 'contoso.com.prime256v1.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [WA]:WA
Locality Name (eg, city) [Redmond]:Redmond
Organization Name (eg, company) [MSFT]:MSFT
Common Name (e.g. server FQDN or YOUR name) [prime256v1.keyusage.contoso.com]:prime256v1.keyusage.contoso.com
Email Address [prime256v1.keyusage@contoso.com]:prime256v1.keyusage@contoso.com
C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl x509 -in contoso.com.prime256v1.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f9:5d:df:50:3c:30:d5:87
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = WA, L = Redmond, O = MSFT, CN = prime256v1.keyusage.contoso.com, emailAddress = prime256v1.keyusage@contoso.com
Validity
Not Before: May 23 19:17:06 2019 GMT
Not After : May 22 19:17:06 2020 GMT
Subject: C = US, ST = WA, L = Redmond, O = MSFT, CN = prime256v1.keyusage.contoso.com, emailAddress = prime256v1.keyusage@contoso.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:83:c3:d9:25:ec:f4:46:12:8a:c2:0e:26:48:fd:
42:4d:c8:f5:12:ae:a9:0f:50:f8:3b:4b:10:11:0e:
45:53:90:f5:8d:d2:65:9c:f1:c5:87:e2:04:6a:3f:
4e:84:4f:7a:da:e6:3a:2d:e0:c9:d8:d6:b0:86:32:
e6:27:56:92:81
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
FD:27:DB:EA:74:0A:9E:5D:3E:53:F3:02:4C:D6:59:F0:11:75:CC:E8
X509v3 Authority Key Identifier:
keyid:FD:27:DB:EA:74:0A:9E:5D:3E:53:F3:02:4C:D6:59:F0:11:75:CC:E8
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:5e:96:66:eb:b7:c5:69:b0:34:ba:95:76:bf:71:
91:14:76:e0:6e:26:f1:53:92:64:56:d5:f5:bd:a8:44:60:8b:
02:21:00:cb:be:5f:7e:b6:7a:a7:5d:e1:42:f2:cf:6c:25:7d:
2d:dc:aa:70:18:82:c2:90:96:2b:97:91:e1:4f:1c:dd:17
C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>openssl pkcs12 -export -keysig -out contoso.com.prime256v1.cert.pfx -inkey contoso.com.prime256v1.key.pem -in contoso.com.prime256v1.cert.pem
Enter Export Password:
Verifying - Enter Export Password:
C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer>dir
Volume in drive C has no label.
Volume Serial Number is 74A4-87BA
Directory of C:\Users\MSmall\Downloads\Certs\OpenSSL\Customer
05/23/2019 12:43 PM <DIR> .
05/23/2019 12:43 PM <DIR> ..
05/23/2019 12:17 PM 1,006 contoso.com.prime256v1.cert.pem
05/23/2019 12:43 PM 1,224 contoso.com.prime256v1.cert.pfx
05/23/2019 12:16 PM 246 contoso.com.prime256v1.key.pem
05/23/2019 12:16 PM 78 contoso.com.prime256v1.param.pem
05/23/2019 12:10 PM 1,502 keyUsage.conf
5 File(s) 4,056 bytes
2 Dir(s) 22,093,053,952 bytes free
Contents of the file "keyUsage.conf"
[ req ]
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = WA
localityName = Locality Name (eg, city)
localityName_default = Redmond
organizationName = Organization Name (eg, company)
organizationName_default = MSFT
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = prime256v1.keyusage.contoso.com
emailAddress = Email Address
emailAddress_default = prime256v1.keyusage@contoso.com
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
# One/All of the below values are required
# DigitalSignature, CrlSign, KeyCertSign, NonRepudiation
keyUsage = digitalSignature
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
# One/All of the below values are required
# DigitalSignature, CrlSign, KeyCertSign, NonRepudiation
keyUsage = digitalSignature
nsComment = "OpenSSL Generated Certificate"
I hope the above helps. Please reach out to @AzIdentity on Twitter for questions or comments.