question

PorscheMe-6235 avatar image
0 Votes"
PorscheMe-6235 asked PorscheMe-6235 commented

KeyVault returned full chain PFX cert file isn't verifiable

  • Make a full chain password protected PFX cert file using below steps

     cat issuingCA.cert.pem rootCa.cert.pem > chain-mycert.cert.pem
       openssl pkcs12 -export -out full-chain-mycert.pfx -inkey mycert.key.pem -in mycert.cert.pem -name mycert-ca -CAfile chain-mycert.cert.pem -chain -passout pass:REDACTED
    

  • Verify the above PFX cert file with below command, enter the password when prompted

     keytool -list -keystore full-chain-mycert.pfx -storetype pkcs12 -v
    

  • Upload the PFX cert file to KeyVault using to Azure Portal

  • Download the uploaded PFX cert file from the KeyVault using Azure Portal

  • Verify the downloaded cert chain with below command, not need to enter password

    keytool -list -keystore <down-loaded-cert.pfx file> -storetype pkcs12 -v

  • Verify the PFX doesn't have chain information by running below command
    keytool -list -keystore chain-test-rp-search.pfx -storetype pkcs12 -v






azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
0 Votes"
sikumars answered PorscheMe-6235 commented

Hello @PorscheMe-6235,

Thanks for reaching out.

Azure keyvault does include certificate chain when you download certificate along with private keys such as .PFX format in case if certificate were uploaded along with respective certificate chain so make sure cert that uploaded contains certificate chain.

I would recommend you to refer steps mentioned here to "Merge all intermediate certificates" and "export certificate to PFX" format then try upload into Azure keyvault.

Hope this helps.



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sikumars-msft thanks for the reply.

  • I'm not using App Service...fyi

  • I created my full chain chain PFX cert file exactly like the App Service link you shared

  • Uploaded to KeyVault using Azure Portal provided PFX password

  • Downloaded the same cert and tried verify chain by running below command, it wasn't all the cert in the chain


     keytool -list -keystore <downloaded pfx file> -storetype pkcs12 -v
     [when Keytool prompts for password, just press enter (since KeyVault removes the password protection)]
    

145563-encryptionkey.png


0 Votes 0 ·
encryptionkey.png (727.3 KiB)