Share via

How to decrypt venafi certificates uploaded to azure keyvault

Isaac Oluwade 20 Reputation points
2023-11-01T03:03:13.2+00:00

We have configured our Venafi certificate to sync with azure keyvault, with its key, chain and password. We need to download the certificate into VMs created in a VMSS using custom script extension, the only problem is the certificate is currently encrypted by keyvault. Does anyone know a simple way to decrypt the certificate using the script before copying into the virtual machines?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
Accepted answer
  1. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2023-11-01T13:19:55.8133333+00:00

    @Isaac Oluwade

    Thanks for your time and patience. After digging through I found that the certificates are imported and exported in different format, as per Importing Azure Key Vault certificates FAQ

    • Certificates are always imported in PEM or PFX with a private key

    For a certificate import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX. Although there are PEM files with only the public portion, Key Vault requires and accepts only a PEM or PFX file with a private key. For more information, see Import a certificate to Key Vault.

    • While exporting You always get the certificate as a secret (base64) but could be converted using Azure PowerShell.

    After a certificate is imported and protected in Key Vault, its associated password isn't saved. The password is required only once during the import operation. This is by design, but you can always get the certificate as a secret and convert it from Base64 to PFX by adding the password through Azure PowerShell.

    
#Connect to Azure and select subscription
Login-AzureRmAccount
Select-AzureRMSubscription -SubscriptionName "<name of subscription containing keyvault>"
   
#Obtain the secret from keyvault
$vaultName = '<name of Keyvault>'
$secretName = '<name of secret containing certificate>'
$certString = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
   
#Create a PFX from the secret and write to disk
$kvSecretBytes = [System.Convert]::FromBase64String($certString.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$password = '<required password for PFX>'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = "C:\temp\$secretName.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.