Reputation: 2523
I tried to store my private key to Azure Key Vault, but when I retrieve it out, my private key got changed.
If I put the private key into my web.config file, it works without any issue.
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAohoZ+TCXMn17BPFXFCuIHvh7oONSBNCjuixl2CbwrGO8tIAO
XIQP1sZa3lhXkUj0f4HewmYsx6JR+39Do21H+QtCZxR4qCvOJxrrFHqMrk76aQji
....
ZVmUljOatig+g+q+jMEf7IA5zcAgBdAAuausXrPoNcip89Yuqag1
-----END RSA PRIVATE KEY-----
Since my private key is just a text, I stored it as a Secrets. Am I doing the right thing?
I also tried to store the key as a Certificate, but the key is just a text with hidden CRLN, it is not PEM or PKCS#12. And in my case, I don't need to store the public key.
Below is my code to retrieve the key:
public static string GetDocuSignPrivateKey()
{
var key = keyVaultClient.GetSecretAsync($"{vaultUrl}secrets/DocuSignPrivateKey/88e15b41234bf89619ddc9a2exxxx").Result;
return key.Value;
}
Sorry, I just start using Azure KeyVault. Please help. Thank you.
Upvotes: 2
Views: 4587
Reputation: 2780
I had a similar problem where I was trying to add a private cert to the key vault by creating a secret. I used powershell and the following code snippet to make it to work.
I navigated to the folder where your private cert is located and then I applied:
az login
az keyvault secret set --name privateCert --vault-name mykeyvault-qa-kv --file .\private.key
Upvotes: 0
Reputation: 838
Added the private Key to Azure using below method in C# instead of adding manually, then use Get Secret Method:
string secretName = "pKey";
string secretValue = "-----BEGIN ENCRYPTED PRIVATE KEY----\nMII9w0BBQ\nzZ8=\n-----END ENCRYPTED PRIVATE KEY-----\n";
Task addKey = client.SetSecretAsync(secretName, secretValue);
addKey.Wait();
SecretClient client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(),options);
KeyVaultSecret pKey = OKTAclient.GetSecret("pKey");
string privateKey = pKey.Value;
Upvotes: 0
Reputation: 61
This is how I deployed a private key from a .ppk file to the keyvault using powershell. The first one is in nonproduction where I used AAD MFA, the second one is in production where I used a service principal.
AAD Multifactor Log In
Connect-AzAccount -DeviceCode
$fileContentInBvtes = get-content C:\Users\filedirectory\file.ppk -Encoding Byte
$fileContentAsBase64 = [Svstem.Convert]::ToBase64String($fileContentInBytes)
Set-AzKeyVaultSecret -VaultName 'CHANGEVALUETOKEYVAULTNAME' -SecretName 'CHANGEVALUETOSECRETNAME' -SecretValue (ConvertTo-SecureString -String $fileContentAsBase64 -force -AsPlainText) -ErrorAction Stop
Service Principal
$secPassword = ConvertTo-SecureString -AsPlainText -Force -String 'CHANGEVALUETOSERVICEPRINCIPALPASSWORD'
$Applicationld= 'CHANGEVALUETOSERVICEPRINCIPALID'
$Credential = New-Object -TypeName Svstem.Management.Automation.PSCredential -Argumentlist $Applicationld, $secPassword
Connect-AzAccount -ServicePrincipal -Tenantld 'CHANGEVALUETOTENANTID' -Credential $Credential
$fileContentInBvtes = get-content C:\Users\filedirectory\file.ppk -Encoding Byte
$fileContentAsBase64 = [Svstem.Convert]::ToBase64String($fileContentInBytes)
Set-AzKeyVaultSecret -VaultName 'CHANGEVALUETOKEYVAULTNAME' -SecretName 'CHANGEVALUETOSECRETNAME' -SecretValue (ConvertTo-SecureString -String $fileContentAsBase64 -force -AsPlainText) -ErrorAction Stop
Upvotes: 0
Reputation: 2523
Thanks to @Matt Small 's response. I use Azure Cloud Shell to enter the private key and it works.
$secretvalue = ConvertTo-SecureString 'priKey here' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'vaultName' -Name 'secretName' -SecretValue $secretvalue
Upvotes: 3