how to get the pfx certificate password

Question

Hi,
I have generated the certificate in azure key vault.

While Importing Key Vault Certificate on azure app service getting error "Failed to get App Service Principal"

Also downloaded the same .pfx certificate and while uploading it is asking for the password.

Please let me know from where I can get the password for the certificate

Answer 1

Certificate .pfx file downloaded from KeyVault doesn't have password protection. Steps to generate a password protected .pfx file:

Import PFX

If we want to have this pfx with a password, the easiest way is to just import it on a Windows machine and export it again but this time with a password. Here is how to do this:

1. Right-click on the pfx file and choose Install PFX
2. Choose Local Machine and click Next
3. File name doesn't need to change, so proceed with Next
4. On the Private key protection wizard leave the password empty and check the "Mark this key as exportable". Click Next.
5. On the Certificate Store wizard just leave it as Automatically select the certificate store and click Next.
6. Finish on the last one. You should get "Import Successful".

Export PFX with password

Now we need to export the certificate but this time with a password. We need to browse the machine's certificate store to initialize this.

Open Certificate Manager

1. Open Run (Windows + R) and type mmc
2. On the MMC console, go to File -> Add/Remove Snap-in or Ctrl + M. Select Certificates and click Add in the middle.
3. You will be asked My User/Service or Computer account. Choose Computer and click Next.
4. Leave everything default on the next one (Local computer: (the computer this console is running on)) and click Finish.
5. Click OK on the Console Snap-in

Export certificate

1. Now expand the Certificates (Local Computer) then expand Personal and choose Certificates
2. Find the certificate you just imported and right-click it -> All Tasks -> Export...
3. The Export wizard starts. Click Next on the first window.
4. Then choose Yes, export the private key and click Next
5. On the Export File Format make sure that everything except "Delete the private key if the export is successful" is checked and that this isn't. Click Next.
6. Here you can choose a password for the pfx file. Make sure to check the Password checkbox and type your desired password. Leave the Encryption as TripleDES-SHA1. Click Next
7. Choose where to save the new .pfx file by clicking Browse
8. Click Finish and you should get "The export was successful" message.

That's it. You now have an exported copy of the App Service Certificate in a .pfx format and with a password ready to be used anywhere you want.

@Michael Gaddis FYI

Answer 2

Why doesn't certreq -config give an option to set a PFX password?

seems extremely ridiculous we have to get a pfx from an internal CA, THEN import it into local cert store JUST to export it again to set a password

Microsoft - if you're reading this - you need to put some new work into certreq and internal CA if you're going to keep supporting it as a product

Answer 3

Well guys, that's great, glad it worked for you but the link no longer works, how about posting the answer here.

Answer 4

Thanks for reply! Once you created the certificate in Azure Key vault and downloaded same as in pfx format you need to configure password for .pfx this is required while uploading a pfx, you always need to provide a password.

Answer 5

Thanks for asking question! If I have understood right you are trying to Import a certificate from Key vault, If so then you may want to know that you can import a PKCS12 certificate from Key Vault into App Service as long as it satisfies the below requirements.

Also, By default, the App Service resource provider doesn’t have access to the Key Vault.

In order to use a Key Vault for a certificate deployment, you need to authorize the resource provider read access to the KeyVault.

Also, check if you are owner of the subscription and not contributor might helps.

Let us know if issue remains.