Reputation: 133
Azure Key Vault: unable to get a cert from kv when deployed
I have a webjob getting a certificate from azure key vault service and locally i have no problem accessing/retrieving this cert from kv. However, when this webjob gets deployed, I get this error:
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at Microsoft.Ambassadors.Infrastructure.KeyVaultService.<GetCertificateAsync>d__7.MoveNext() in C:\Source\Repos\Xbox.Ambassadors\Microsoft.Ambassadors.Azure\Microsoft.Ambassadors.Infrastructure\KeyVaultService.cs:line 0
I have registered the app (where this webjob is hosted) with AAD, and it has read only access to the kv space. I have found a couple of relevant (I think..?) posts regarding this:
"An internal error occurred." when loading pfx file with X509Certificate2
X509Certificate Constructor Exception
but I'm not really sure if this is something that I can do in my case...? If anyone can help, that would really be great! Thanks :D
Upvotes: 5
Views: 2856
Answers (2)
Reputation: 434
I had this same problem, except I was deploying to an Azure web app. I fixed it by adding X509KeyStorageFlags.
SecretBundle secretBundle = await keyVaultClient.GetSecretAsync(_keyVaultOptions.IdentitySigningCredentialUri);
_signingCredential = new X509Certificate2(Convert.FromBase64String(secretBundle.Value), string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
Upvotes: 12
Reputation: 9664
A very common issue that I see people having is related to permissions. Make sure the application (service principal) that represents your web job has enough permissions in the key vault access policies, because I don't see you mentioning anything about access policy in your question.
Steps -
- Go to your key vault access policies -
- Add a new policy
- Select your principal (app that represents web job). Give at least Get permissions for Keys, Secrets and Certificates
- Click OK
- Click "save" button on top once the policy blade is done. This is a common step that is missed and the policy never gets saved.
Look at this SO post for multiple ways to do it. Although that one only talks about secrets, so the permissions you select in checkboxes while adding policy will be different.
If issue still doesn't get solved, please post more detailed code to access certificate from vault and if your exception stack trace goes any further than what you've already shared, include that as well.
Upvotes: 1
Related Questions
- Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
- Not able to get Azure Key-Vault working in app when deployed to Azure
- Azure self-signed certificate on Key vault
- key vault issue with AKS
- Azure Key Vault Certificate: the key was not found
- Error creating key vault certificate in Azure CLI
- Getting certificate from Azure KeyVault with Azure.Security.KeyVault.Secrets
- Can't use azure key vault ('New-AzureKeyVault' is not recognized) ('keyvault' is not an azure command)
- Azure - Add private certificate - error with Key vault key and permissions
- Adding a certificate to azure VM from Key Vault