Install certificate on remote server from Azure Key vault using PowerShell

Question

Install certificate on remote server from Azure Key vault using PowerShell

Narender Uppala 26

Hi there,

I have a certificate(.pfx) that has been stored in the Azure Key vault.

It would be great if anyone could help me to install a certificate using PowerShell from the Azure Key vault to a remote Windows server(2019).

1 answer

Your answer

Answer 1

JamesTran-MSFT 37,211 Microsoft Employee Moderator

@Narender Uppala
Thank you for your post!

When it comes to installing your certificate that's stored within the Azure Key Vault to a remote Windows Server outside of Azure, you should be able to do this by following this 3rd party doc - Installing a certificate from Azure KeyVault into a machine external to Azure.

The documentation goes over installing the certificate by creating an Azure AD App, granting that App's Service Principal Key Vault access, using Azure PowerShell commands to Get/List Secrets, deserializing the JSON payload and installing the PFX into the local machine.

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Narender Uppala 26 Reputation points

2022-10-19T12:32:31.373+00:00

Hi @JamesTran-MSFT ,

Thank you for the quick response. I would like to install the cert on Azure windows servers and I have found that documentation based on your URL. Please find the URL below.

https://blog.baowebdev.com/2016/07/installing-a-certificate-from-azure-keyvault-into-an-azure-vm/

How can we fetch the Azure Key vault secret/certificate version in the ARM template dynamically?
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2022-10-21T16:50:29.017+00:00

@Narender Uppala
I'm glad that you were able to find the relevant doc from the article that I shared!

To retrieve the Vault Secrets/Certificates within an ARM template dynamically, this is currently only possible with Secrets. For more info - Reference secrets with dynamic ID. If you'd like this feature to be available for Vault Certificates, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.

I've also created an internal feature request, so our engineering team is aware of this as well.

We also have a Key Vault virtual machine extension for Windows, which provides automatic refresh of certificates stored in an Azure key vault. Specifically, this extension monitors a list of certificates stored in key vaults, and, upon detecting a change, retrieves, and installs the corresponding certificates.

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2022-10-21T16:53:42.037+00:00

@Narender Uppala
I'll also share some additional links below.

Key Vault virtual machine extension for Windows - Template deployment
ARM Example - keyvaultexamples
Azure Key Vault REST API reference
Set and retrieve a secret from Azure Key Vault using PowerShell

If you have any other questions, please let me know.
Thank you!
Narender Uppala 26 Reputation points

2022-10-21T18:04:20.163+00:00

Hi @JamesTran-MSFT ,

Thanks again.

I have asked for fetching secret version dynamically using ARM templates. Not secrets.
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2022-10-24T17:27:52.3+00:00

@Narender Uppala
Thank you for following up on this and I apologize for missing that you wanted to get the Azure Key vault secret/certificate version dynamically via ARM Templates.

I've reached out to our KV engineering team to see if this is possible and will update as soon as I get a response from their end.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Narender Uppala 26

Hi @JamesTran-MSFT ,

I have fixed this issue by using the below code snippet in the ARM Template.

Variables:

----------

"keyVaultId": "[resourceId(concat('resourceGroupName'), 'Microsoft.KeyVault/vaults', 'keyVaultName'))]",  
"certId": "[concat( variables('keyVaultId'),'/secrets/certificateName')]",  //Note: Our certificate resides in the KeyVault Certificates section

Fetching the latest Certificate with version:

-------------------------------------------------

      "secrets": [{  
       "sourceVault": {  
        "id": "[variables('keyVaultId')]"  
      },  
      "vaultCertificates": [{  
        "certificateUrl": "[reference(variables('certId'), '2018-02-14').secretUriWithVersion]",  
        "certificateStore": "My"  
        }]  
      }]

Thank you for your help so far with this issue.

JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2022-10-26T22:22:41.127+00:00

@Narender Uppala
Thank you for following up on this and I'm glad that you were able to resolve your issue!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator

2022-10-27T21:14:12.427+00:00

@Narender Uppala
I just wanted to check in and see if you had any other questions?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Install certificate on remote server from Azure Key vault using PowerShell

1 answer

Your answer