Azure API Management can not import PEM certificate generated in Key Vault

IlicMarko 25 Reputation points

When I try to add certificate in API Management, which is generated in Key Vault (like PEM certificate) I am getting following error: Secret data fetched from SecretIdentifier is invalid. Certificate data should contain a valid Base64Encoded string.

How to resolve this issue as I want to add certificate from Key Vault, not to do Custom import in API Management.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
887 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,410 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Konstantinos Passadis 11,471 Reputation points

    Hello @IlicMarko !

    I see that API Management is trying to retrieve the certificate from Key Vault, and it's not getting the data in the expected format. Here are some steps to help you troubleshoot and resolve the issue:

    1. Secret Format in Key Vault:
      • The certificate stored in Key Vault should be a Base64-encoded string representation of the certificate.
        • Certificates in Azure Key Vault can be stored in two primary ways: As secrets or as actual certificates. If you are storing it as a secret, ensure it's properly Base64-encoded.
    2. Certificate Format:
      • Ensure the certificate is in the correct format (typically PEM or PFX).
        • For PEM, it should look something like:

    -----BEGIN CERTIFICATE----- (Base64-encoded cert data) -----END CERTIFICATE-----

    1. Access Permissions:
      • Make sure API Management has the correct permissions to retrieve secrets from the Key Vault.
        • You can set this in Key Vault under "Access policies".
    2. Certificate Extraction:
      • If the certificate is stored as an actual certificate in Key Vault, there's a unique identifier (versioned or latest) that points to the current version of the certificate. Make sure you're using the correct identifier.
    3. Using Azure CLI:
      • You can use the Azure CLI to fetch the secret from Key Vault and ensure it's in the correct format.

    az keyvault secret show --name your-secret-name --vault-name your-keyvault-name

    Check the returned value for the proper Base64-encoded certificate string.

    1. Azure Key Vault to API Management:
      • When setting up the integration between Azure Key Vault and API Management, ensure that you're using the appropriate reference to the Key Vault secret/certificate.
        • There's a known pattern for referencing Key Vault secrets in many Azure services, which looks something like this:


    Ensure you're using a similar reference, and the SecretUri is correct.

    1. Log & Monitoring:
      • Check Azure Monitor and API Management's logs to gather more information about the error. It may offer more specifics on why the fetch operation is failing.
    2. ARM Template Deployment (if applicable):
      • If you're deploying using ARM templates or any other infrastructure as code solution, ensure the references and parameters are correctly set.

    References :

    Please try the above and get back to us !

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!