Reputation: 7592
How do I define a certificate resource in my ARM template when it is hosted in the Key Vault?
I am trying to define an ARM template for my resource group. Ultimately I'm trying to replicate what I have to do manually by navigating to the SSL certificates tab for an App Service within the portal.
I've uploaded a PFX file to the Secrets tab of my KeyVault. I've granted Get access to the global RM service principal.
At the moment this is what my Microsoft.Web/certificates resource looks like in my template. It is just defined as a resource at the top level of the resource group, and not as a sub-resource of a website or anything like that:
{
"type":"Microsoft.Web/certificates",
"name": "signingCredentials",
"location": "[parameters('region')]",
"apiVersion": "2015-08-01",
"properties": {
"keyVaultId": "<My KeyVault ID>",
"keyVaultSecretName": "<My Secret Name>"
}
}
When I attempt to deploy this template I receive the message:
The parameter KeyVault Certificate has an invalid value
I haven't been able to find any documentation on this parameter and what value it would be expecting. I'm assuming it's missing from the properties section in the resource. So far anything I've found on the subject only references keyVaultId and keyVaultSecretName.
What am I doing wrong? Is what I'm trying to accomplish even possible?
Upvotes: 1
Views: 3488
Answers (2)
Reputation: 7592
The problem does not appear to be caused by my template, but something with how the certificate was uploaded to the KeyVault through the UI. This article provided me a script to upload the file directly to the KeyVault using powershell.
$pfxFilePath = "F:\KeyVault\PrivateCertificate.pfx"
$pwd = "[2+)t^BgfYZ2C0WAu__gw["
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName akurmitestvault -Name keyVaultCert -SecretValue $Secret -ContentType $secretContentType # Change the Key Vault name and secret name
Using the Get-AzureKeyVault script from Jambor's answer, I am unable to see any difference between the certificate uploaded in the UI. I even changed the content type of my uploaded certificate from Certificate to application/x-pcks2 and it still did not work. Seems like it might possibly a bug in the UI, or just a difference in how the powershell script handles it.
Upvotes: 1
Reputation: 3293
The parameter KeyVault Certificate has an invalid value
It seems that this issue is not caused by your template. We can refer to this article to check it. From the error message, it shows me that the certification name is incorrect. We can use Get-AzureKeyVaultSecret to get its name. The following is details:
As above screenshot, the value "kvcertificate" is the value we expected.
Upvotes: 1
Related Questions
- Upload Key Vault Certificate and access it in App Service through ARM Template
- Create Key Vault certificate using ARM template
- How to dynamically create Azure KeyVault reference in ARM template?
- Use Key Vault references for App Service via ARM template
- Azure Key Vault access from ARM Template
- Error when deploying ARM template that includes certificate stored in key vault
- Azure ARM template ResourceNotFound error when referencing managed identity in key vault access policy
- referencing a KeyVault secret in an ARM template fails with 'The resource is not defined in the template'
- ARM Template with Key Vault certificate
- Cannot use certificate secret value stored in Key Vault in Azure Resource Template