How to get certificate from Azure KeyVault as .crt and .key files?

Question

I need to export a certificate from Azure KeyVault to VM as .crt file with its key as .key file. I found on ms docs following article: link and then with openssl convert it to correct files.

Unfortunately, there's one restriction for me that I cannot use openssl. So my question, is there any way to do it with powershell?

Answer 1

When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata. Source: Composition of a Certificate.

You can use new az module (CLI based) in powershell to download the crt (public part), export the private key from secret or export the public key from key (in case you need only the public key) separately like below.

Note: The policy used to create the certificate must indicate that the key is exportable. If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret. Source: Exportable or Non-exportable key.

# download as crt in DER format
# you can also download in PEM format by changing to -e PEM
az keyvault certificate download --vault-name <keyvault-name> -n <cert-name> -f cert.crt -e DER

# private key is stored in secret, exporting separately
az keyvault secret download --vault-name <keyvault-name> -n <cert-name> -f cert.key

# key is stored in key, exporting public part separately in PEM format
# you can also download in DER format by changing to -e DER
# you cannot retrieve private part from key
az keyvault key download --vault-name <keyvault-name> -n <cert-name> -f public-key.pem -e PEM

Note: If the format is PKCS#12 when you uploaded the certificate, then the second command (private key) would download in p12 format which would require the passphrase.