Reputation: 195
Error "The parameter KeyVault Certificate has an invalid value" with App Service Certificate
I have created in my Azure Key Vault a secret containing an ssl certificate converted from .pfx to base64 string. Now I try to use it to create a certificate linked to an App Service using bicep file.
resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
name: 'mykeyvault'
location: resourceGroup().location
properties: {
tenantId: tenantId
sku: {
name: 'standard'
family: 'A'
}
enabledForTemplateDeployment: true
accessPolicies: [...]
}
}
resource sslCertificateSecret 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
name: '${kv.name}/sslcert'
properties: {
attributes: {
enabled: true
}
value: <base64_string_ssl>
contentType: 'application/x-pkcs12'
}
}
resource appServicePlan 'Microsoft.Web/serverfarms@2021-01-15' = {
name: 'myServiceplan'
location: resourceGroup().location
kind: 'linux'
properties: {
reserved: true
}
sku: {
name: 'B1'
}
}
resource sslCertificate 'Microsoft.Web/certificates@2021-01-15' = {
name: 'myCertificate'
location: resourceGroup().location
properties: {
keyVaultId: <my_keyvaultId>
keyVaultSecretName: <my_keyvaultCertificateSecretName>
serverFarmId: appServicePlan.id
}
}
I also tried to import the certificate manually in the key vault and reexport it to ensure the base64 string was correct and it seemed ok.
However I am getting the error "The parameter KeyVault Certificate has an invalid value."
Do you have an idea of what I am missing?
Upvotes: 0
Views: 4638
Answers (1)
Reputation:
Azure KeyVault as a solution for secure storage of confidential information. Two ways to authenticate a web application in KeyVault. A better is approach is to authenticate the web application using a certificate. This certificate is also deployed directly from KeyVault. This means neither the confidential information nor the keys to the vault are ever disclosed.
Please check the below steps:
Click on the below link to know steps of create certificate linked with app service from keyVault. Loading the access certificate for your application into KeyVault
Check the File Formats of Certificates which is the major building block when importing certificates
PEM & PFX are the supported certificate formats in Azure Key Vault resource.
• .pem file format consists of 1 or more X509 certificate files.
• A server certificate (issued for your domain), a matching private key, and an optional intermediate CA can all be stored in a single file using the .pfx archive file format.
The first step is to convert any certificates used by the App Service to (and label them as) application/x-pkcs12. It might be possible to resolve the issue by reimport the certificate from a pfx file with the —password parameter (az keyvault certificate import), and then import it from the key vault to the webapp. You could use this blog as a resource.
Also, look if Cert and the Key Vault are in their original resource group.
References:
- Azure Key Vault Import Certificates provided by Microsoft and GitHub Source of Deploying Azure Web App Certificate using KV
If you missed the certificate policy on upload and if generating new certificates, then try to generate in the key vault itself.
$credential = Get-Credential
login-azurermaccount -Credential $credential
$vaultName = 'my-vault-full-of-keys'
$certificateName = 'my-new-cert'
$policy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=mememe.me" -IssuerName Self -ValidityInMonths 120
Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $policy
"The parameter KeyVault Certificate has an invalid value"
- Please check that you have given permission to access the key vault for Resource Provider
Use PowerShell to enable the 'Microsoft.Web' Resource Provider directly access the azure key Vault.
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
- Sometimes this problem exists in the step of how the certificate was uploaded to the Key Vault: If using PowerShell, give full path instead of the relative path to the cert when uploading.
$pfxFilePath = "PFX_CERTIFICATE_FILE_PATH"# Change this path
Example:
$pfxFilePath = "F:\KeyVault\PrivateCertificate.pfx"
$pwd = "[2+)t^BgfYZ2C0WAu__gw["
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName akurmitestvault -Name keyVaultCert -SecretValue $Secret -ContentType $secretContentType # Change the Key Vault name and secret name
Upvotes: 1
Related Questions
- Add certificate from Azure Keyvault to Azure Container Environment with Bicep
- Unknow KeyVault access policy from Bicep
- How to deploy App Service with managed SSL certificate using ARM
- Unable to import key vault certificate to app service - Failed to get App Service Service principal details
- Azure bicep Pass Storage Account Connection String to Secret Keyvault loop issue
- Azure Key Vault with App Service connection error
- Failed to create App Service Managed Certificate
- Azure Resource Manager - Cannot deploy Keyvault with Microsoft App Service in access policy
- Upload Certificate to App Service from key Vault
- Azure certificate in Key Vault not valid for app service