Upload Key Vault Certificate and access it in App Service through ARM Template

Question

Upload Key Vault Certificate and access it in App Service through ARM Template

lolek john 21

We need to have a Function App created for accessing Office 365 instance. The access is using Certificate authentication. Hence we are uploading the certificate into Azure Key Vault and need to import the Certificate from Key Vault.

We are using ARM Templates for the Azure Resource Deployment. We are trying to create Azure Key Vault Certificate as mentioned in the link

https://erwinstaal.nl/posts/using-an-arm-template-to-deploy-your-ssl-certificate-stored-in-keyvault-on-an-web-app/

https://stackoverflow.com/questions/59085396/upload-pfx-certificate-through-azure-devops-pipeline

As mentioned in the above pages, we are able to create new secrets in Key Vault. But, we do not see the imported certificate in the list of Certificates (when checked in the Azure Portal UI) and also, we are not able to Import the Certificates in the Function App. Is this not supported in the current ARM Template Key Vault commandlet? How can this be fixed?

Answer 1

@lolek john
Thank you for following up on this!

Based off the tutorial you're following, the certificate already being in type pkcs12, and the error message that you received, I found some related threads which I'll share below. Some of the potential solutions to your issue could be related to the file format of your certificate, how it was converted to base64, or if you're using Azure Key Vault's RBAC access model rather than Access Policies.

**Check the File Formats of Certificates which is the major building block when importing certificates: ** For more info.

In Azure Key Vault, supported certificate formats are PFX and PEM.

• .pem file format contains one or more X509 certificate files.

• .pfx file format is an archive file format for storing several cryptographic objects in a single file i.e. server certificate (issued for your domain), a matching private key, and may optionally include an intermediate CA.

Certificates used by App Service first needs to be converted to (and marked as) application/x-pkcs12. Re-importing the cert from a pfx file with the --password parameter (az keyvault certificate import), and after that import it from the key vault to the webapp might help.

Additional links:
Deploying Azure Web App Certificate through Key Vault
"The parameter KeyVault Certificate has an invalid value" when deploying Azure Web App Certificate through Key Vault
Error "The parameter keyVaultCsmId has an invalid value" while adding App Service Certificates to KeyVault

If you're still having issues with this, please let me know.
Thank you for your time and patience throughout this issue.

lolek john 21 Reputation points

2022-01-26T07:32:06.46+00:00

@JamesTran-MSFT - Indeed one of the above links helped. The way to generate the Base64 encoded string for the pfx file is as below:

$pfxFilePath = "F:\KeyVault\PrivateCertificate.pfx" $pwd = "[2+)t^BgfYZ2C0WAu__gw[" $flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $collection.Import($pfxFilePath, $pwd, $flag) $pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12 $clearBytes = $collection.Export($pkcs12ContentType) $fileContentEncoded = [System.Convert]::ToBase64String($clearBytes) $secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force $secretContentType = 'application/x-pkcs12' Set-AzureKeyVaultSecret -VaultName akurmitestvault -Name keyVaultCert -SecretValue $Secret -ContentType $secretContentType # Change the Key Vault name and secret name

This is as mentioned in the blog - https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

Thanks for your help
JamesTran-MSFT 27,501 Reputation points Microsoft Employee

2022-01-26T19:35:39.763+00:00

@lolek john
Thank you for following up with this and I'm glad that I was able to help resolve your issue!

Answer 2

@lolek john
Thank you for your post, and for providing the documentation that you're following!

From the Key Vault side of things, the documentation - Using an ARM template to deploy your SSL certificate, is extracting a base64 string from the file (Azure DevOps certificate) and uploading that to Key Vault as a secret, which explains why you aren't seeing any Certificates when checking within the Portal.

You can see this within the ARM template used:

Deploying the certificate to your Web App, the ARM template is referencing the Secret you uploaded earlier within the Key Vault.

If you'd like to import a Certificate to be used with your App, you can definitely use Azure Key Vault to manage your certificates. For more info. If you don't want to import your Certificate directly into the App, you can Import a certificate to Key Vault.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

lolek john 21 Reputation points

2022-01-25T05:47:40.72+00:00

@JamesTran-MSFT As you mentioned, the certificate is created as a secret in the Key Vault and I can see the Certificate name and type in the list of Secrets

But, when trying to refer that in the Website Certificate, I am getting the below error:

{ "Code": "BadRequest", "Message": "The parameter KeyVault Certificate has an invalid value.", "Target": null, "Details": [{ "Message": "The parameter KeyVault Certificate has an invalid value." }, { "Code": "BadRequest" }, { "ErrorEntity": { "ExtendedCode": "51008", "MessageTemplate": "The parameter {0} has an invalid value.", "Parameters": ["KeyVault Certificate"], "Code": "BadRequest", "Message": "The parameter KeyVault Certificate has an invalid value." } } ], "Innererror": null }

This works fine, if I manually upload the certificate in the Certificates list in Azure Key Vault. When referencing that certificate (which was manually uploaded), the website certificate gets created without any issues. Any thoughts?

Answer 3

Jerome Rougnon-Glasson 1

Please I need to get a clear answer: Does ARM support the upload of certificate into a keyvault as a "certificate" and not as a secret? I don't find any documentation about that. Thank you in advance!

Upload Key Vault Certificate and access it in App Service through ARM Template

2 additional answers

Activity