Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,175 questions
"Authority Key Identifier Extension is malformed" when importing CA-signed certificate to Azure Key Vault
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 57.00000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Malhar
0
Reputation points
When I try to import a CA-signed certificate to Azure Key Vault in both .pfx or .pem format, I'm getting the following error:
CODE BadParameter
MESSAGE The specified X.509 certificate content is invalid. Error: x.509 authority key identifier extension is malformed..
I have checked the certificate using openssl x509 -in certificate.pfx -text -noout and the authority key identifier extension values are different from each other.
So I would like to understand, is it necessary that both Subject Key Identifier & Authority Key Identifier values should be same?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Navya 6,115 Reputation points Microsoft Vendor2024-07-04T07:03:35.2866667+00:00 Hi @Malhar
Thank you for posting this in Microsoft Q&A.
I understand that you are trying import CA-signed certificate to Azure Key Vault, but you get an error "The specified X.509 certificate content is invalid. Error: x.509 authority key identifier extension is malformed".
Can you confirm which tool you have used to generate self-signed CA?
If you used OpenSSL or another tool to generate self-signed CA, you need to add the public certificate for that CA to the X509Store.
I would like to understand, is it necessary that both Subject Key Identifier & Authority Key Identifier values should be same?
In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension of certificates issued by the subject of this certificate.
For more information about Subject Key Identifier & Authority Key Identifier
Authority Key Identifier Subject Key Identifier
Hopes this helps. Do let us know if you any further queries.
Thanks,
Navya.
-
Malhar 0 Reputation points
2024-07-04T11:19:05.38+00:00 Hi Navya,
Referring to your first question, I have used openssl to generate a .csr(certificate signing request) file request in which first I generated a private key & based on that key I have generated a .csr file.
Afterwards, I provided that .csr file to the third party to sign & send us the new certificate.
So, as per my understanding, this process is not 'Self Signed' but its a 'Certificate issued by a non-integrated CA', am I correct on this?Can you please let me know did I follow right process to generate the .csr, certificate from third party CA?
Sign in to comment