"The parameter KeyVault Certificate has an invalid value" when deploying Azure Web App Certificate through Key Vault

Question

So I have been trying to upload a cert from keyvault to my azure we app. I followed this guide:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

When trying to create the Microsoft.Web/certificates resource I get the error:

{  
  "Code": "BadRequest",  
  "Message": "The parameter KeyVault Certificate has an invalid value.",  
  "Target": null,  
  "Details": [  
    {  
      "Message": "The parameter KeyVault Certificate has an invalid value."  
    },  
    {  
      "Code": "BadRequest"  
    },  
    {  
      "ErrorEntity": {  
        "ExtendedCode": "51008",  
        "MessageTemplate": "The parameter {0} has an invalid value.",  
        "Parameters": [  
          "KeyVault Certificate"  
        ],  
        "Code": "BadRequest",  
        "Message": "The parameter KeyVault Certificate has an invalid value."  
      }  
    }  
  ],  
  "Innererror": null  
}  

I got the same error when trying to deploy when using this template as a reference: https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault

I have tried with two different certs that are in use for us in production. When uploading the certs manually in the app service TLS/SSL settings -> Private Key Certificate the certs work as expected.

When downloading the secret uploaded with the PS script as a certificate it seams very small (1kb vs 5kb of the original cert) and I cannot open it with the cert password so my best guess is that there is something wrong with the upload.

I have no idea how to debug this futher.

Answer 1

Hi Sebastian,

I had just the same problem. In my case the reason was because the cert in AKV was imported as pem and not as pcks12, and hence the content type was wrong (should be application/x-pkcs12). Re-importing the cert from a pfx file with the --password parameter (az keyvault certificate import) made the trick for me, after that I could import it from the key vault to the webapp.

Hth

Answer 2

so I conclude that if I generated a CSR in the key-vault with issuance policy - content type "PEM" (vs. PKCS #12) and obtained a certificate from an authority using that CSR, merged that CRT to have a valid certificate in my vault, that is essentially useless and cannot be imported / used for app services? If it can, how?
Thank you

Answer 3

I had the same error , I found this answer on stackoverflow, it helped:

There should be a service principal in the Azure AD, if not you can create it.

Get-AzADServicePrincipal -DisplayName microsoft.azure.certificateregistration

You need to assign that permission to keyvault via either access policies OR RBAC.

I had this service principal already created. I'm not sure whether it is created when you start the app service certificate order or not.

It is mentioned here:

https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-certificate-standard

By default, 'Microsoft.CertificateRegistration' and 'Microsoft.Web' RPs don't have access to the Key Vault specified in the template hence you need to authorize these RPs by executing the following PowerShell commands before deploying the template:

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName f3c21649-0979-4721-ac85-b0216b2cf413 -PermissionsToSecrets get,set,delete
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
ServicePrincipalName parameter represents these RPs in user tenant and will remain same for all Azure subscriptions. This is a onetime operation. Once you have a configured a Key Vault properly, you can use it to store as many App Service Certificates as you want without executing these PowerShell commands again.