Share via

public exponent does not work when use key vault to create a RSA-HSM key

Wang Echo 21 Reputation points
2022-11-26T15:08:39.473+00:00

In the process of using the key vault REST API to create a key, I used the following request to create a key, but no matter how I modify the value of public_exponent, the returned E is not the result I set.
I use the rest api of the key vault service to create an RSA key and set the public_exponent to 3, but the E in the returned result is AQAB, which is 65537 instead of the 3 I set.
I have tried to modify the key_size to 2048 3072 4096 Also try to modify kty to RSA, RSA-HSM, all unchanged. 

#### Get token  
POST https://login.microsoftonline.com/{tenantId}/oauth2/token  
Content-Type: application/x-www-form-urlencoded  

grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}&resource=https://vault.azure.net  


### Create RSA-HSM key  
POST {vaultBaseUrl}/keys/{keyName}/create?api-version=7.3  
Content-Type: application/json  
Authorization: Bearer {token}  

{  
    "kty": "RSA",  
    "key_size": 3072,  
    "key_ops": [  
        "encrypt",  
        "decrypt",  
        "sign",  
        "verify",  
        "wrapKey",  
        "unwrapKey"  
    ],  
    "public_exponent": 3  
}
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,443 questions
Accepted answer
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2022-11-30T23:13:15.337+00:00

    @Wang Echo
    Thank you for your time and patience throughout this issue!

    I received a response from our Key Vault engineering team and when it comes to the public_exponent property, this is only applicable when using the Azure Key Vault Managed HSM and not the Azure Key Vault. The public_exponent property doesn't exist in Key Vault's implementation of the Create Key REST API, we only use the key_size and crv (ECC keys).

    I've submitted feedback on the doc and created an internal doc-enhancement request to get this updated.

    Additional Links:
    Add public_exponent option to create_key #18016 - This is a related issue.
    Azure SDK for Python/Keys/_client.py - The Azure SDK for Python Key Vault repo also mentions this.
    Azure key management services - For more info on the different key management services.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.