unable to download azure keyvault certificate using powershell with AZ module

nedukull 1 Reputation point
2023-07-02T18:21:34.29+00:00

I am trying to download the certificate secrete from Azure key vault using Az module but it's giving error.

$pfxSecret = Get-AzKeyVaultSecret -VaultName "xxxx" -Name "xxxxxxx" -AsPlainText

$secretByte = [Convert]::FromBase64String($pfxSecret)

$x509Cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2

$x509Cert.Import($secretByte, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

$pfxFileByte = $x509Cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)

Write to a file

[IO.File]::WriteAllBytes("KeyVaultcertificate.pfx", $pfxFileByte)

Below is the error:

Exception calling "Import" with "3" argument(s): "Cannot find the requested object.
"
At line:6 char:1
+ $x509Cert.Import($secretByte, $null, [Security.Cryptography.X509Certi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
 
Exception calling "Export" with "2" argument(s): "Invalid pointer
"
At line:7 char:1
+ $pfxFileByte = $x509Cert.Export([Security.Cryptography.X509Certificat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
 
Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null.
Parameter name: bytes"
At line:10 char:1
+ [IO.File]::WriteAllBytes("KeyVaultcertificate.pfx", $pfxFileByte)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

Below one is giving different error:

$kvSecret = Get-AzKeyVaultSecret -VaultName "xxxxxx" -Name "xxxxxx" -AsPlainText

$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)

$jsonObject = [System.Text.Encoding]::UTF8.GetString($kvSecretBytes)

$customObject = ConvertFrom-Json $jsonObject

$pfxBytes = [System.Convert]::FromBase64String($customObject.data)

$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$certCollection.Import($pfxBytes,$customObject.password,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

Error:

Exception calling "Import" with "3" argument(s): "The parameter is incorrect.
"
At line:14 char:1
+ $certCollection.Import($pfxBytes,$customObject.password,[System.Secur ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
 

The same logic is working fine with the AzureRM module.

$kvSecret = Get-AzureKeyVaultSecret -VaultName $keyVault -Name $keyVaultSecret

$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)

$jsonObject = [System.Text.Encoding]::UTF8.GetString($kvSecretBytes)

$customObject = ConvertFrom-Json $jsonObject

$pfxBytes = [System.Convert]::FromBase64String($customObject.data)

$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$certCollection.Import($pfxBytes,$customObject.password,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,353 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Murat-4795 475 Reputation points
    2023-07-03T08:54:55.2966667+00:00

    Hi Nedukull,

    You can use the following script for exporting a certificate using powershell:

    $vaultName = '<YourVault>'
    $certificateName = '<YourCert>'
    $password = '<YourPwd>'
    $pfxSecret = Get-AzKeyVaultSecret -VaultName $vaultName -Name $certificateName -AsPlainText
    $secretByte = [Convert]::FromBase64String($pfxSecret)
    $x509Cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2
    $x509Cert.Import($secretByte, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $pfxFileByte = $x509Cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
    # Write to a file
    [IO.File]::WriteAllBytes("KeyVaultcertificate.pfx", $pfxFileByte)
    
    

    For more information on how the script works, please refer to the documentation below:
    https://learn.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?tabs=azure-powershell

    Regards,

    Murat


    If the response helped, do "Accept Answer" and up-vote it

    1 person found this answer helpful.

  2. JamesTran-MSFT 36,776 Reputation points Microsoft Employee
    2023-07-06T19:38:08.83+00:00

    @nedukull

    Thank you for your post and I apologize for the delayed response!

    I understand that you're trying to download a Key Vault Certificate using PowerShell but are having issues when using the Az module. To hopefully help point you in the right direction or resolve your issue, I'll share my findings along with some troubleshooting steps below.

    Error Messages

    Script 1:

    • Exception calling "Import" with "3" argument(s): "Cannot find the requested object.
    • Exception calling "Export" with "2" argument(s): "Invalid pointer
    • Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null.

    Script 2:

    • Exception calling "Import" with "3" argument(s): "The parameter is incorrect.

    Findings:
    Based off of Script 1's error messages, it looks like it's indicating that the certificate object isn't found. However, within your second script, it's receiving an incorrect parameter within the $certCollection.Import method.

    When it comes to troubleshooting your scripts:

    • Script 1- Make sure your referenced certificate exists and that it's exportable. For more info.
    • Script 2 - Can you see if the $customObject.password parameter has the correct password and that it matches the password used to protect the PFX file? You can also check if the $pfxBytes variable contains the correct data by ensuring the $pfxBytes.Length is greater than 0.

    I also noticed that you mentioned if the secret is a PFX certificate it's working as expected, but if it's just a Secret with encoded format you're running into issues.

    • Since you're having issues downloading the Secret, can you see if the below script helps. The script will return a KeyVaultSecret object that contains the secret value in Base64-encoded format. You can then convert the Base64-encoded string to a byte array and save it to a file.
    $secret = Get-AzKeyVaultSecret -VaultName "xxxx" -Name "xxxxxxx"
    $secretValue = [System.Convert]::FromBase64String($secret.SecretValueText)
    [IO.File]::WriteAllBytes("secret.txt", $secretValue)
    

    I hope this helps!

    If you're still having issues and would like to work with our Key Vault team, please let me know. I'd be happy to enable your Azure Subscription for a one-time free technical support request so you can get this issue resolved.

    Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.