Python: Azure Function Key Vault reference for certificates?

Question

Similar to this question, I have a Python Azure Function where I want to load a certificate from a Key Vault Reference. Referencing the secret returns a string that looks like this: "MIIcGA...z62QICB9A=". I'm trying to load this into an azure.identity CertificateCredential object and can't figure out how to construct the correct certificate_data

My actual call looks like this:

from azure.identity import CertificateCredential
cert_cred = CertificateCredential("72f...guid", "eff...guid", certificate_data = str.encode(cert64))

I've tried wrapping my cert64 string in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- but whatever I do, I get the error Failed to deserialize certificate in PEM or PKCS12 format

I tried reworking my certificate string to be split with newlines at 64chars so it looks like this:

-----BEGIN CERTIFICATE-----
MIIcGAIBAzCCG9QGCSqGSIb3DQEHAaCCG8UEghvBMIIbvTCCBhYGCSqGSIb3DQEH
AaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcN
...
-----END CERTIFICATE-----

Using this code

final_cert = "-----BEGIN CERTIFICATE-----"
for i in re.findall('.?'*64, cert64 ):
    final_cert += "\r\n" + i
final_cert += "-----END CERTIFICATE-----"
print (final_cert)

I get a slightly different error message: Exception has occurred: ValueError Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.

Answer 1

After fighting with this all day, I discovered the answer here

Base64-decode the string that comes from keyvault and set it as the certificate_data bytes.

pkcs12_bytes = base64.b64decode(cert64)   
cert_cred = CertificateCredential("72f...guid", "eff...guid", certificate_data = base64.b64decode(cert64))