Certificate "Data encipherment" key usage flag removed by CA but Key Vault decryption still works?

Sandner Emanuel 0 Reputation points
2024-03-06T10:20:58.7433333+00:00

Hello,

I have a question about the expected behaviour of the Azure Key Vault when a Certificate is finalized by merging the Key Vault Certificate with a signed request.

When a Certificate is created in Azure Key Vault with the "Data encipherment" key usage flag (so that the associated private key in the Key Vault can be used for data decryption) and the CSR is signed by an CA, the resulting signed Certificate may not include the "Data encipherment" flag anymore (depending on the used CA I guess).

Nevertheless, uploading the signed Certificate via "Merge Signed Request" to finalize the Certificate creation process in Azure Key Vault works fine. The merged and finalized Certificate in Azure Key Vault also does not include the "Data encipherment" key usage flag anymore but only the ones from the signed Certificate.

Interestingly, decryption via the Azure Key Vault REST API using the private key associated with the Certificate still works as it should because of the initially set "Data encipherment" key usage flag (even though its missing in the final Certificate). Doing the same Certificate creation and signing process but omitting the "Data encipherment" flag in the beginning (i.e., also not present in the CSR) does not allow decrypting ciphertext through the Key Vault.

Is this the expected behaviour of the Key Vault?

I.e., the X.509 key usage flags given in the signed Certificate seem to override the initially selected flags from the Key Vault when merging the signed request, but that does not override the permission to decrypt ciphertext through the Key Vault API.

Doesn't this result in an inconsistency between the key usage description from the Certificate to what they Key Vault permits (e.g. data decryption, even though a Client may not know that data encryption is "allowed", because the "Data encipherment" flag is missing in the Certificate)?

To be clear, I want and need to set the "Data encipherment" flag for (asymmetric) data encryption and decryption (albeit I understand this is seldom used) and I want to use a Certificate so that the key-pair is bound to a specific 3rd party, but I was wondering if the resulting Key Vault behaviour is correct.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,118 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2024-03-11T17:11:04.3066667+00:00

    @Sandner Emanuel

    Thank you for posting your query on Microsoft Q&A, from above description, I could understand that you have generated a certificate using Azure KeyVault with "Data Encipherment" flag, but when you merge the signed CSR with KeyVault request the signed certificate is missing the flag.

    Please do correct me if this is not the case by responding in the comments section.

    I tested this in my lab with request as follows:

    User's image

    Post merging the signed request the result certificate is missing other Key usage flag User's image

    Answer to your first question would be yes, the resulting signed Certificate may not include the "Data encipherment" flag anymore.

    Despite the presence or absence of the "Data encipherment" flag in the signed certificate, decryption via the Azure Key Vault REST API using the private key associated with the certificate still works as it should because of the initially set "Data encipherment" key usage flag. This is because the "Data encipherment" flag is set on the private key in the Key Vault, not on the certificate itself.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.'

    Thanks,

    Akshay Kaushik

    0 comments