Reputation: 145
How to prevent Private Key export for imported Certificate
Short Question: How to make an imported certificate (pfx) non-exportable?
We have a certificate (pfx) file that we would like to import into Azure KeyVault. However we are unable make this certificate non-exportable. There is an option, under Issuance Policy/Advanced Policy Configuration, in which you can set 'Exportable Private Key' to 'No' but is seems not to apply for imported certificates.
The code that we use is:
var keyVaultClient = CreateKeyVaultClient();
var name = "non-exportable-cert";
var secret = await keyVaultClient.GetSecretAsync("azure-key-vault-url", name);
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
// cert.HasPrivateKey = always True.
When using the Windows Certificate store we have to explicit mark the certificate as exportable. We do not have this option at all in the Azure Key Vault.
When we generate a certificate in the Key Vault this option does work, which result in the cert.HasPrivateKey set to False.
Is this scenario not supported or are we missing something? Thanks in advance!
Upvotes: 1
Views: 1592
Answers (1)
Related Questions
- Azure Key Vault download certificate with private key
- CngKey.Import on azure
- Load certificate and private key into Java KeyStore
- Accessing Azure KeyVault secrets only with a certificate installed on the machine
- KeyVault generated certificate with exportable private key
- Azure - Add private certificate - error with Key vault key and permissions
- Azure KeyVault - Use certificate and certificate private key
- Importing a certificate to Azure key vaullt: Operation returned an invalid status code 'Conflict'
- Azure Key Vault Protecting Certificate
- Add-AzureKeyVaultKey fails with Operation "import" is not allowed