Cannot set up Azure Key Vault extension on Ubuntu VM

Question

I am attempting to set up the Azure Key Vault extension on an Azure VM running Ubuntu, so that nginx on that VM can access an SSL certificate with HSM-secured key to secure a website hosted on the VM. However, when running the command below, I get an error message that the secret is not properly Base64 encoded. What am I doing wrong?

az vm extension set -n "KeyVaultForLinux" --publisher Microsoft.Azure.KeyVault -g "{resource-group}" --vm-name "{vm-name}" --version 3.0 --enable-auto-upgrade true --settings "akvm.json"

The error message is:

(CertificateImproperlyFormatted) The secret retrieved from {URL} is not a properly encoded Base64 string.

Answer 1

The KeyVaultForLinux extension expects a Base64‑encoded PFX certificate stored as a Key Vault Certificate. The error occurs because the referenced secret contains a PEM or non‑Base64 value; importing the certificate as a PFX into Key Vault resolves the issue. Here you are pointing the extension to a secret that is not a PFX-backed Key Vault certificate (for example, a PEM certificate or raw text secret). The extension does not support PEM-only or manually stored secrets for certificate installation - https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-linux

Correct approach

• Convert the certificate (and private key) into a PFX file
• Import it into Azure Key Vault as a Certificate (not just a secret)
• Then reference that certificate in the KeyVaultForLinux extension settings

Microsoft documentation

• Key Vault VM Extension for Linux (supported certificate formats: PKCS#12 / PFX) Azure Key Vault VM extension for Linux
• Importing certificates into Azure Key Vault Import a certificate into Azure Key Vault