Share via

Azure Key Vault with Managed Identity

Phillip LEE 20 Reputation points
2024-11-29T05:58:19.2066667+00:00

Hello,

I have a question to ask.

I’m studying how to retrieve SSL certificates from Azure Key Vault using Managed Identity.

The scenario involves uploading a test.pfx certificate to the Key Vault and retrieving it from a Linux (Ubuntu 24.04 LTS) VM using the Azure CLI. When retrieving the certificate, it appears that the backend converts the certificate to a PEM format before downloading it.

From my tests, it seems that the certificate is always converted to PEM format by default.

I’ve been trying other methods as well, but they’re not working as expected.

Here’s my question: When I uploaded the PFX certificate, it included the private key along with the chain (CA1, CA2). When I applied the certificate directly to the server without using Key Vault, the HTTPS site worked fine. However, when retrieving the certificate from Key Vault using Azure CLI, the certificate is converted to PEM format, and the private key and chain seem to be missing.

It seems like this is happening because of the OpenSSL conversion process. Is this expected behavior? If anyone has experience with this issue, could you provide some insights?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,342 questions
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
728 questions
0 comments
Accepted answer
  1. Deepanshu katara 12,635 Reputation points
    2024-11-29T06:28:00.29+00:00

    Hello Phillipe , welcome to MS Q&A

    When retrieving a PFX certificate from Azure Key Vault using Azure CLI, you may encounter issues during conversion to PEM format. To successfully convert a PFX certificate to PEM, ensure that you are using the correct command to download the certificate and that the private key is included in the PFX file.

    If you are facing specific errors during the conversion process, it may be helpful to check the format of the certificate and ensure that it adheres to the required specifications. Additionally, verify that you are using the appropriate tools or commands for the conversion.

    1. To retrieve a PFX certificate from Azure Key Vault and convert it to PEM format using Azure CLI and OpenSSL, you can use the following commands:
       az keyvault certificate download --vault-name <your-key-vault-name> --name <your-certificate-name> --file <path-to-save-certificate.pfx> --encoding Pfx
    1. Convert the PFX certificate to PEM format using OpenSSL:
       openssl pkcs12 -in <path-to-save-certificate.pfx> -out <path-to-save-certificate.pem> -nodes -passin pass:<pfx-password>

    Replace the placeholders <your-key-vault-name>, <your-certificate-name>, <path-to-save-certificate.pfx>, <path-to-save-certificate.pem>, and <pfx-password> with your actual values.

    These commands will ensure that the private key and chain are included in the PEM file.

    References:

    Please try and let us know if any questions

    Kindly accept answer if it helps

    Thanks

    Deepanshu

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.