Reputation: 83
SSL Certificates - Import Root and Chain in Azure KeyVault?
I have successfully imported an digital signature certificate (which comes with a root certificate and a chain certificate) in my Azure KeyVault using the command "mport-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -FilePath". The certificate has been issued to me by a public Certificate Authority.
I tried to run the exact same command to import the root certificate and the chain certificate, but I am unable to.
My question is: is there a way at all too import the root and the intermediate certificates into the KeyVault? Or they need to be imported somewhere else?
Thanks
Upvotes: 8
Views: 10441
Answers (3)
Reputation: 4318
az keyvault certificate import ... wouldn't allow me to upload a .pem file.
I needed to generate a .pem file from what certbot produced (in my case), convert that to a pfx file, and then upload that ...
Perhaps this may help someone :
cat certs/live/mydomain.co.uk/{fullchain.pem,privkey.pem} > certs/mydomain.pem
openssl pkcs12 -in certs/mydomain.pem -keypbe NONE -cetpbe NONE -nomaciter -passout pass:Secretp4ss -out certs/mydomain.pfx -export
az keyvault certificate import --vault-name myvault -n my-vault-cert -f certs/mydomain.pfx --password Secretp4ss
Note, if using certbot, it needs to be told to use a --rsa-key-size 2048 --key-type rsa
Upvotes: 0
Reputation: 4571
There are two basic scenarios:
- Import issued certificate (in PEM or PFX format) - see Tutorial: Import a certificate in Azure Key Vault
- Create a CSR (certificate request) using Azure KeyVault, send it to the issuer and merge received certificate - see Create and merge a CSR in Key Vault
Both of them allow certificate chain to be added to the keyvault (together with certificate) and later to be downloaded and extracted. Please note, that it's not possible to open/download chain certificates separately from the keyvault. Instead the certificate should be downloaded and certificates extracted from the file.
For import operation it's quite straightforward: both Azure Portal and Az CLI do support PFX and PEM files, containing private key, new certificate created by the issuer and CA certificates.
But there are small nuances about merging.
The certificate content type can be set to either PKCS12 or PEM upon creation in Azure KeyVault. As result merged certificate is exported/downloaded
- using PFX format for certificate created with PKCS12 content type
- using PEM format for certificate created with PEM content type
The format of the chain container for merge operation, however, does not depend on that content type. It only depends on the method that is used to perform the merge:
- Az CLI supports PEM format (with either single certificate or entire chain) and crt (which contains only one certificate, without the chain)
az keyvault certificate pending merge --vault-name test-kv --name test --file test- chain.pem - Azure Portal UI allows to upload PEM, P7B and crt. But only merging P7B allows to preserve the chain. In case of merging PEM only the first certificate specified in PEM container is used (the others are ignored)
- Azure KeyVault REST api uses an array of base64-encoded certificates for representing a chain (https://learn.microsoft.com/en-us/azure/key-vault/certificates/create-certificate-scenarios#merge-when-a-pending-request-is-created---manual-certificate-creation)
The following command can be used to create a P7B file containing the chain:
openssl crl2pkcs7 -nocrl -certfile test.crt -out test.p7b -certfile inter.crt -certfile ca.crt
Extracting the chain from imported certificate:
When certificate is imported to Azure keyvault, the same format is used to export/download that certificate.
Extracting the chain from merged certificate:
Certificate should be downloaded from Azure keyvault (PFX or PEM depending on certificate content type). When certificate that was merged together with the chain is downloaded in PEM, it contains the whole chain already in a format that allows to extract individual certificates easily.
When certificate is downloaded in PFX, to extract individual certificates the following command can be used to convert it to PEM format, containing only certificates (omitting the private key):
openssl pkcs12 -in downloaded-cert.pfx -nokeys -nodes -out chain.pem
Then chain.pem can be opened with text editor and individual certificates can be extracted to separate crt files.
Upvotes: 4
Reputation: 911
Concatenate your certificate, the CA bundle file and the private key file into a .pem file in the order:
cat <cert>.crt <bundle>.cabundle <private>.key > <full-cert>.pem
Use the Azure CLI 2.0 az tool to import into the key vault using:
az keyvault certificate import --vault-name <your-vault> --name <cert-name> --file <cert-file>.pem
You should find that the az tool creates three entries in your vault all with the name <cert-name> (i) a certificate containing the <cert>.crt file, (ii) the private key and (iii) a secret containing the full root + chain + private key which you can later download if needed.
Upvotes: 2
Related Questions
- How to copy a certificate from one Azure Key Vault to another?
- How to import a an azure web app certificate using terraform from an azure key vault
- Import EC Key into Key Vault
- Load certificate and private key into Java KeyStore
- Getting certificate from Azure KeyVault with Azure.Security.KeyVault.Secrets
- Azure KeyVault - Use certificate and certificate private key
- Adding a certificate to azure VM from Key Vault
- Use certificate in Azure Key Vault to sign IdentityServer4
- Installing certificates to the trusted root certificate store on azure web apps
- how to load root CA cert into azure