Import Cert into Key vault using REST API/cURL

Digit Labs 1 Reputation point
2020-11-12T03:56:27.397+00:00

I am trying to import Let's Encrypt Base64-encoded cert and private key using below REST API but its failing:

https://learn.microsoft.com/en-us/rest/api/keyvault/importcertificate/importcertificate?source=docs#jsonwebkeytype

The command I am using to import the cert is:

curl -s -H "Authorization: Bearer ${TOKEN}" -d @datafile -H "Content-Type: application/json" https://named-keyvault.vault.azure.net/certificates/httpd/import?api-version=7.1

{"error":{"code":"BadParameter","message":"The specified Base64-encoded PKCS#12 X.509 certificate content can not be read. Please check if certificate is valid, and is correctly Base64 encoded."}}

I even converted the private key to:

$ openssl pkcs8 -topk8 –v2 aes256 -in cleartext.key -out encrypted.key

But I am still getting the same/above error. Any help would be really helpful.

The contents of the json datafile are as follows:

cat > datafile <<EOF
{"value": "-----BEGIN CERTIFICATE-----
MIIFijCCBHKgAwIBAgISBOOd0e3A6nPIdgyXeFlFTzh
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHzBJBgkqhkiG9w0BBQ0wPDAb
-----END ENCRYPTED PRIVATE KEY-----",
"pwd": "123",
"policy": {
"key_props": {
"exportable": true,
"kty": "RSA",
"key_size": 2048,
"reuse_key": false
},
"secret_props": {
"contentType": "application/x-pkcs12"
}
}
}
EOF

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,288 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,626 Reputation points Microsoft Employee
    2020-11-13T18:56:15.667+00:00

    @Digit Labs
    Thank you for the quick response!

    A common reason for the import to fail is that openssl may add certain commentary text in the .pem file. For example, if you convert a PFX to a PEM using the below command:

    openssl pkcs12 -in cert.pfx -out cert.pem  
    

    Then using "cat cert.pem", you might see something like:

    Bag Attributes  
        localKeyID: D4 2F E7 46 EA BC 7F 00 35 1F 1A 2F 33 07 81 5F 31 7F 90 E7   
    subject=/CN=example.com  
    issuer=/CN=example.com  
    -----BEGIN CERTIFICATE-----  
    (etc)  
    

    Azure Key Vault does not understand any text in the .pem file that is not between -----BEGIN etc----- and -----END etc----- marks.

    You can try to avoid these comments by concatenating the certificate (i.e. public key) and the private key together in a cat command:

    openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem  
    cat cert.pem key.pem > tobeimported.pem  
    

    The above command will produce a tobeimported.pem file that Key Vault understands.

    Reference: https://github.com/MicrosoftDocs/azure-docs/issues/23558

    If you're still running into issues can you please email me with the info below, this way I can enable a free one-time technical support request for you so our support engineers can take a closer look into your issue.

    Email: AzCommunity@microsoft.com
    Subject: ATTN - James Tran
    Body:
    Azure Subscription ID
    Link to this issue

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.