Import certificate API for azure key vault

Rakesh S 151 Reputation points
2021-02-04T08:06:50.687+00:00

i am trying to import a certificate through REST API to azure key vault, via Postman. For that purpose, i have generated the bearer token via, "https://login.microsoftonline.com/tenant_ID/oauth2/token." I am having two headers, The authorization and the content-type. My request body would look something like
{
"value": "",
"policy": {
"key_props": {
"exportable": true,
"kty": "RSA",
"key_size": 2048,
"reuse_key": false
},
"secret_props": {
"contentType": "application/x-pkcs12"
}
}
}

I am not understanding what i need to pass inside the "value" parameter. When i am passing the base64 encoded data of certificate, it is throwing an error saying,"No certificate with private key found in the specified X.509 certificate content. Please specify X.509 certificate content with only one certificate containing private key."
And when i am passing the whole contents of my cert as such, I am getting the error,"The specified PKCS#12 X.509 certificate content can not be read. Please check if certificate is in valid PKCS#12 format."
So can you see this whether I am doing something wrong from my side. Please do address this with priority since our security is being compromised due to this blockage. Thanks in advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,143 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,561 Reputation points
    2021-02-06T01:24:10.083+00:00

    Hello @Rakesh S , Thanks for reaching out.

    Could you confirm type of certificate trying to import? Azure Key Vault supports .pem and .pfx certificate files for importing Certificates into Key vault. We support the following type of Import for PEM file format. A single PEM encoded certificate along with a PKCS#8 encoded, unencrypted key which has the following

    -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
    -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----

    When you are importing the certificate, you need to ensure that the key is included in the file itself. If you have the private key separately in a different format, you would need to combine the key with the certificate. Some certificate authorities provide certificates in different formats, therefore before importing the certificate, make sure that they are either in .pem or .pfx format. To learn more refer this article.


    **Sample REST API call for importing .PFX certificate format: **


    You must pass .pfx certificate in base64-encoded-byte format inside the “value:” parameter of POST request in the body section, use following PowerShell cmdlet for converting pfx file into base64-encoded-byte format.

    • $fileContentBytes = get-content "C:\newfolder\cert.pfx" -Encoding Byte
    • [System.Convert]::ToBase64String($fileContentBytes) | Out-File "c:\newfolder\pfx-base64-encoded-bytes.txt"

    Once converted, just copy base64-encoded value and add them in the “value:” parameter. The "contentType" must be "application/x-pkcs12" and If the private key in base64EncodedCertificate is encrypted then mentioned in request body as shown below..

    Sample Request
    POST https://myvault.vault.azure.net/certificates/importCert01/import?api-version=7.1

    Request Body
    {
    "value": "MIIKFgIBAzCCCdIGC----------------------SqGSIb3DQEHAaCCCcMEggm",
    "pwd": "12345",
    "policy": {
    "secret_props": {
    "contentType": "application/x-pkcs12"
    }
    }
    }

    Screenshot:
    64801-pfx-import-cert-request.png

    Note: "key_props parameters ("exportable": true , "kty": "RSA", "key_size": 2048 and "reuse_key": false) are optional one, if require then you can add them in the request body


    **Sample REST API call for importing .PEM certificate format: **


    If you’re importing a certificate in PEM format, then "contentType" should be "application/x-pem-file" type. The value parameter will just be the raw text contents of your PEM file and need not to be in base64-encoded-byte, because PEM cert is already a text format, so base64-encoding doesn’t require.


    Sample Request
    POST https://myvault.vault.azure.net/certificates/importCert01/import?api-version=7.1

    Request Body

    {
    "value": "-----BEGIN CERTIFICATE-----
    MIID2TCCAsGgA3Ng7KtR5GoKfSBD72KfqEmQmkbfw1N3KG5M0VC
    S30l5Nc1//soJqR4Lnb/TjnMpitYBNwEpiSs6qpjJe/jYnJxBL+U4IvToNTvoNJF
    5FDNQ2bR9rNFIcl9wV+zYgGJJT7UdVLiegXNoYArNecJXFuJwxio8MxDzwPtQ50C
    AwEAAaNTMFEwHQYDVMCsdgL7Wp4S0VcpffptYsZHbh4sW0E
    Gnh7f5U1diT84Vvl0Y1u7ITJeklkKKERSi5+ETfxYRZHD5YziLJ4qKSg5c/OP1Z4
    ZM3RLdMMHPg2jmVOZbsTSz2eNjS9Nk+39CF92/E=
    -----END CERTIFICATE-----
    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC49k8WeabJ86hY
    KjShAqUJBWSq8CJM5WV/QkvIeUykzvyjAev4WVEmWb0hwFnsmIxS6aXk55xhRmqm
    TbPCKet8Wqejmeg/HvPDfCDFh9d+2/Fei0izqQcLnWm+FqlwP2Ksum4WPxY9rl8a
    oy3uC0kJEf2yGfxSp22/+tmk2hF+2uYewL/ndyo/JNUoUyKfZYz2T3e2IvOtB3A3pkd
    5JSPgamXDfhS4ZW4oAyW9e2sOfmrak1/DygMbqGE6Hd3Yl3LqT5S/ruOjImbIxhZ
    WT/MBEcA24FbTQ3YawU3HKBL
    -----END PRIVATE KEY-----",

    "policy": {
    "secret_props": {
    "contentType": "application/x-pem-file"
    }
    }
    }

    Screenshot:

    64775-pem-import-cert-request.png

    **There are a few separate issues here you need to be very careful about: **

    Private Key Format A certificate with a private key in a PEM file could have the key stored in various format. One very common one is PKCS#1, which is identified by the key being wrapped in -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.

    If you try to import such a certificate to Key Vault, however, you will get an error. This is because Key Vault will only accept a key in PKCS#8 format, which you will recognize because it’s wrapped in -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.
    You can easily use the openssl pkcs8 -topk8 command to convert the private key once you know to do this.

    Value Format The result is that the value parameter will just be the raw text contents of your PEM file. The content must use UNIX-style line separators (\n). Attempting to send the content using Windows-style line endings (\r\n) will just result in a confusing error such as The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.

    Another common reason for the import to fail is that when you openssl to create/convert to PEM format cert, which add certain commentary text in the .pem file. For example, if you convert a PFX to a PEM using the below command:

    openssl pkcs12 -in cert.pfx -out cert.pem  
    

    Then using "cat cert.pem", you might see something like:

    Bag Attributes  
        localKeyID: D4 2F E7 46 EA BC 7F 00 35 1F 1A 2F 33 07 81 5F 31 7F 90 E7   
    subject=/CN=example.com  
    issuer=/CN=example.com  
    -----BEGIN CERTIFICATE-----  
    (etc)  
    

    Azure Key Vault does not understand any text in the .pem file that is not between -----BEGIN etc----- and -----END etc----- marks.

    You can try to avoid these comments by concatenating the certificate (i.e. public key) and the private key together in a cat command:

    openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem  
    cat cert.pem key.pem > tobeimported.pem  
    

    The above command will produce a tobeimported.pem file that Key Vault understands.

    Reference: https://github.com/MicrosoftDocs/azure-docs/issues/23558

    --------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful