Reputation: 35
Moving Certificate from Keyvault to another Keyvault in a diffrent subscription
I am trying to find some way of moving my certificates from a Key Vault in one Azure Subscription to another Azure subscription. Is there anyway of doing this>
Upvotes: 3
Views: 6277
Answers (3)
Reputation: 110
You can use the below PowerShell Script. The script first downloads the certificate from source KeyVault to some folder in you local machine. Then it imports from the local folder to Destination KeyVault.
Since you have different subscription, you can change the context between two operations.
Connect-AzAccount
set-azcontext "SourceSubscriptionName"
$CertBase64 = Get-AzKeyVaultSecret -VaultName "SourceVaultName" -Name "CertName" -AsPlainText
$CertBytes = [Convert]::FromBase64String($CertBase64)
Set-Content -Path C:\somepath\CertName.pfx -Value $CertBytes -Encoding Byte
set-azcontext "DestinationSubscriptionName"
$Base64String = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\somepath\CertName.pfx"))
Import-AzKeyVaultCertificate -VaultName "DestinationVaultName" -Name "CertName" -CertificateString $Base64String
Upvotes: 0
Reputation: 45
I eventually used terraform to achieve this. I referenced the certificates from the azure keyvault secret resource and created new certificates. the sample code here.
terraform {
required_version = ">= 0.13"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.17.0"
}
}
}
provider "azurerm" {
features {}
}
locals {
certificates = [
"certificate_name_1",
"certificate_name_2",
"certificate_name_3",
"certificate_name_4",
"certificate_name_5",
"certificate_name_6"
]
}
data "azurerm_key_vault" "old" {
name = "old_keyvault_name"
resource_group_name = "old_keyvault_resource_group"
}
data "azurerm_key_vault" "new" {
name = "new_keyvault_name"
resource_group_name = "new_keyvault_resource_group"
}
data "azurerm_key_vault_secret" "secrets" {
for_each = toset(local.certificates)
name = each.value
key_vault_id = data.azurerm_key_vault.old.id
}
resource "azurerm_key_vault_certificate" "secrets" {
for_each = data.azurerm_key_vault_secret.secrets
name = each.value.name
key_vault_id = data.azurerm_key_vault.new.id
certificate {
contents = each.value.value
}
}
wrote a post here as well
Upvotes: 3
Reputation: 2642
Find below an approach to move a self-signed certification created in Azure Key Vault assuming it is already created.
--- Download PFX ---
First, go to the Azure Portal and navigate to the Key Vault that holds the certificate that needs to be moved. Then, select the certificate, the desired version and click Download in PFX/PEM format.
--- Import PFX ---
Now, go to the Key Vault in the destination subscription, Certificates, click +Generate/Import and import the PFX file downloaded in the previous step.
If you need to automate this process, the following article provides good examples related to your question:
https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/
Upvotes: 3
Related Questions
- How to copy a certificate from one Azure Key Vault to another?
- KeyVault certificate renew RSA key pair
- App Service Certificate - how to change key vault?
- Getting certificate from Azure KeyVault with Azure.Security.KeyVault.Secrets
- How to retrieve certificate from a keyvault and import it into another without saving it?
- Can I move a certificate purchased in one Azure subscription to another Azure subscription later?
- Azure KeyVault - Use certificate and certificate private key
- Importing a certificate to Azure key vaullt: Operation returned an invalid status code 'Conflict'
- Adding a certificate to azure VM from Key Vault
- Use certificate in Azure Key Vault to sign IdentityServer4