Share via

Azure Key Vault PFX import not showing correct certificate details

Neven Cvetkovic 25 Reputation points
2023-02-12T21:05:06.12+00:00

I have problems with importing certificates into Azure Key Vault.

I have created a cert/fullchain/privatekey using Letsencrypt certbot.

Private key is a standard RSA 4096 key.

I have tried importing both fullchain+privatekey and certonly+privatekey, with same results.

Subject, Issuer, Serial Number and SAN are all empty.

User's image

Activation date, Expiration date, X509 SHA-1 Thumbprint, Key Identifier and Secret Identifier are all populated as expected.

If I try to use this in the custom domain in Azure Spring Apps, the domain does not serve a certificate, and I get SSL handshake error (I used openssl s_client to validate the certificate).

User's image

Can someone help me troubleshoot?

Why are certificates not properly populated when imported into Azure Key Vault?

Thanks!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,311 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 36,861 Reputation points Microsoft Employee
    2023-02-14T00:39:42.59+00:00

    Hi Neven Cvetkovic ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    You imported a PFX certificate into Azure Key Vault but several of the certificate details were missing. The Subject, Issuer, Serial Number and SAN fields were all empty. However, the Activation date, Expiration date, X509 SHA-1 Thumbprint, Key Identifier and Secret Identifier all populated as expected.

    When you tried to use this in the custom domain in Azure Spring Apps, the domain would not serve a certificate, and you received an SSL handshake error.

    Solution:

    Using an RSA key instead of an ECDSA key resolved the issue.

    See related Github issue.

    If you have any other questions or are running into more Key Vault issues, please let me know.

    Thank you again for your time and patience throughout this issue.

    -

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Neven Cvetkovic 25 Reputation points
    2023-02-12T21:12:43.84+00:00

    My bad.

    It seems it was an ECDSA type key (default for Letsencrypt certbot), not a RSA key as I originally stated in the question.

    The import requires you to use RSA key, instead of ECDSA key.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.