Reputation: 15
How to get original pfx file from Azure Key Vault
I am trying to get the original .pfx file of a certificate including its private key from Azure Key Vault via the portal UI.
I am using the UI to import the certificate as documented for the (Azure) Portal option here: https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal
I am downloading the pfx file as documented for the (Azure) Portal option here: https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?tabs=azure-portal
When I then try to get the ca-key and ca-crt from this pfx file, it fails due to a wrong password. I did it 5 times now to satisfy my paranoia - the password is correct. So I checked the original file and the one I downloaded:
(base) certs % shasum -a 256 ca-crt.pfx
50739f7a73fb092ae6ef9bf3372a16c28a4587b41c0bf12262dbf15e74169d07 ca-crt.pfx
(base) certs % shasum -a 256 vault1-test1ca-20240212.pfx
314e9b0d5681bfcc470490f1138e2ad09861ac7060fab6ca6e2a6edb28d19c6d vault1-test1ca-20240212.pfx
Can someone explain why I cannot get the original file from the Azure Key Vault? And maybe also has a solution on how to get it?
EDIT:
I just downloaded it via the Azure CLI and when I try to decrypt it, is asks me for decryption password which is not the one I set when creating the .pfx file:
(base) certs % openssl des3 -d -in cault1-test1ca-20240212.pfx -out ca.pfx
enter DES-EDE3-CBC decryption password:
Upvotes: 1
Views: 1950
Answers (1)
Reputation: 3321
az keyvault certificate download, as documented, will never get the private key. This is by design as the intention is to use key operations against the managed key to decrypt (RSA), sign (RSA or ECDsa), or unwrap (RSA) as the key algorithm allows.
Additionally, if you imported the certificate where the private key was protected with a password, you would've had to supply that password so that the private key could be decrypted and stored within Key Vault. The password is no more, but you can still re-encrypt the private key later once downloaded.
If you want to retrieve the original PFX - assuming that is what you originally imported or created since Key Vault will not convert between PFX (PKCS12) or PEM (PKCS1 or PKCS8 - you need to download the managed secret and the policy used when creating the key or the default policy used when importing the key has to allow the private key to be exported, which is the default policy e.g.,
az keyvault certificate get-default-policy --query keyProperties.exportable
The managed secret, by convention, has the same name as the certificate; though, it's best to get the certificate information and then the sid (secret ID) for production use:
sid=$(az keyvault certificate show --vault-name heathskv --name test-cert -o tsv --query sid)
az keyvault secret show --id $sid -o tsv --query value | base64 -d > test-cert.pfx
test-cert.pfx will have the key pair with the private key unencrypted since it was decrypted when importing into Key Vault.
Upvotes: 1
Related Questions
- Is it possible to store and retrieve PFX (PKCS12) keystore in Azure Key Vault
- Azure Key Vault - Download original PFX from Key Vault
- How can I retrieve the PFX Password of a generated Azure Key Vault certificate?
- Retrieving a PFX certificate from Azure Key Vault
- Is it possible to get the private key out of Azure Key Vault Keys?
- PowerShell Export Pfx from Azure Key Vault using Az.KeyVault
- Can't add a PFX to Azure Key Vault
- Azure certificate in Key Vault not valid for app service