![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 40%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
25,263 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
When you create a Certificate Signing Request (CSR) from Azure Key Vault, the private key is generated and stored securely within Azure Key Vault, but it is not exportable unless you explicitly configure the key as exportable when you create the CSR.
More specifically, when you create a CSR in Azure Key Vault using the BeginCreateCertificate method with a CertificatePolicy, Azure Key Vault generates a key pair (private and public keys). The private key is stored securely in the Key Vault's HSM-backed or software-protected storage. Only the public part of the key is used to generate the CSR.
Effecively, you can't download the private key by default from Azure Key Vault. This is by design to keep the private key secure. The CSR can be exported, submitted to your CA, and when the CA returns the signed certificate, you merge it back into Key Vault — but the private key never leaves the vault.
To create a .pfx (which includes both the certificate and the private key), you need to make key exportable and use Azure to export PFX
- When creating the certificate (or CSR), set
exportable: truein the certificate policy:"key_properties": { "exportable": true, "key_type": "RSA", "key_size": 2048 } - After the CA returns the signed certificate and you merge it into Azure Key Vault, you can then:
- Use the Azure CLI or PowerShell to download the full certificate including the private key:
az keyvault certificate download \ --vault-name <vault-name> \ --name <cert-name> \ --file cert.pfx \ --encoding PFX
- Use the Azure CLI or PowerShell to download the full certificate including the private key:
- You now have a
.pfxfile with the private key.
If the certificate was not created as exportable then unfortunately the private key is locked inside the Key Vault, you cannot extract it, and cannot create a .pfx using openssl. so your only option is to recreate the certificate, this time ensuring it is marked as exportable.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin