Identity
Reputation: 1673
Azure certificate in Key Vault not valid for app service
The script below will generate a self-signed certificate, create a password secured pfx and add the certificate to the key vault. When I run the ARM template after the script, it fails with the error below. However, when I manually upload the pfx in the UI (Azure portal) and enter the correct password, the ARM template will get successfully deployed. Any ideas how to get this working?
PowerShell code (when uploading the generated pfx in the portal, no error is thrown):
# Generate the certificate in the local store
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=$certificateName" -KeyExportPolicy Exportable
# Get the raw value of the certificate
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Export-PfxCertificate -Cert $cert -Password $certPasswordSecure -FilePath "d:/temp/SelfSigned.pfx"
$secret = ConvertTo-SecureString -String $keyValue -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretNameCertificate -SecretValue $keyValue -ContentType $secretContentType
The error:
New-AzureRmResourceGroupDeployment : 21:22:36 - Resource Microsoft.Web/certificates 'testCertificate' failed with message '{
"Code": "BadRequest",
"Message": "The parameter KeyVault Certificate has an invalid value.",
"Target": null,
"Details": [
{
"Message": "The parameter KeyVault Certificate has an invalid value."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"Code": "BadRequest",
"Message": "The parameter KeyVault Certificate has an invalid value.",
"ExtendedCode": "51008",
"MessageTemplate": "The parameter {0} has an invalid value.",
"Parameters": [
"KeyVault Certificate"
],
"InnerErrors": null
}
}
],
"Innererror": null
}'
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzureRmResourceGroupDeployment : 21:23:11 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations
for details. Please see https://aka.ms/arm-debug for usage details.
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzureRmResourceGroupDeployment : 21:23:11 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations
for details. Please see https://aka.ms/arm-debug for usage details.
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
ARM Certificate Resource:
{
"type": "Microsoft.Web/certificates",
"name": "testCertificate",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('masterKeyVaultId')]",
"keyVaultSecretName": "[parameters('servicePrincipalCertSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('appServicePlanName'))]"
}
},
Upvotes: 0
Views: 1659
Answers (1)
Dmitri M
Reputation: 1146
Maybe you're missing the certificate policy on upload? But really if you're generating new certs then why bother generating certificate locally, just generate it in the key vault itself.
$credential = Get-Credential
login-azurermaccount -Credential $credential
$vaultName = 'my-vault-full-of-keys'
$certificateName = 'my-new-cert'
$policy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=mememe.me" -IssuerName Self -ValidityInMonths 120
Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $policy
Upvotes: 1
Related Questions
- Import Azure key vault certificate to app service using powershell?
- Unable to import key vault certificate to app service - Failed to get App Service Service principal details
- Issue with KeyVault reference in ARM template
- Upload Key Vault Certificate and access it in App Service through ARM Template
- Create Key Vault certificate using ARM template
- Azure Key Vault: Secret not found error
- Retrieving SSL certificate from Azure key vault to Azure app service
- Error when deploying ARM template that includes certificate stored in key vault
- Deploy azure key vault secret using arm template gives error
- ARM Template with Key Vault certificate