how to get the pfx certificate password

Deshmukh, Vijit 516 Reputation points
2022-02-15T19:20:33.99+00:00

Hi,
I have generated the certificate in azure key vault.

While Importing Key Vault Certificate on azure app service getting error "Failed to get App Service Principal"

Also downloaded the same .pfx certificate and while uploading it is asking for the password.

Please let me know from where I can get the password for the certificate

174651-import-keycert.png

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,954 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Nayan Shah 31 Reputation points Microsoft Employee
    2022-11-24T21:33:23.307+00:00

    Certificate .pfx file downloaded from KeyVault doesn't have password protection. Steps to generate a password protected .pfx file:

    Import PFX

    If we want to have this pfx with a password, the easiest way is to just import it on a Windows machine and export it again but this time with a password. Here is how to do this:

    1. Right-click on the pfx file and choose Install PFX
    2. Choose Local Machine and click Next
    3. File name doesn't need to change, so proceed with Next
    4. On the Private key protection wizard leave the password empty and check the "Mark this key as exportable". Click Next.
    5. On the Certificate Store wizard just leave it as Automatically select the certificate store and click Next.
    6. Finish on the last one. You should get "Import Successful".

    Export PFX with password

    Now we need to export the certificate but this time with a password. We need to browse the machine's certificate store to initialize this.

    Open Certificate Manager

    1. Open Run (Windows + R) and type mmc
    2. On the MMC console, go to File -> Add/Remove Snap-in or Ctrl + M. Select Certificates and click Add in the middle.
    3. You will be asked My User/Service or Computer account. Choose Computer and click Next.
    4. Leave everything default on the next one (Local computer: (the computer this console is running on)) and click Finish.
    5. Click OK on the Console Snap-in

    Export certificate

    1. Now expand the Certificates (Local Computer) then expand Personal and choose Certificates
    2. Find the certificate you just imported and right-click it -> All Tasks -> Export...
    3. The Export wizard starts. Click Next on the first window.
    4. Then choose Yes, export the private key and click Next
    5. On the Export File Format make sure that everything except "Delete the private key if the export is successful" is checked and that this isn't. Click Next.
    6. Here you can choose a password for the pfx file. Make sure to check the Password checkbox and type your desired password. Leave the Encryption as TripleDES-SHA1. Click Next
    7. Choose where to save the new .pfx file by clicking Browse
    8. Click Finish and you should get "The export was successful" message.

    That's it. You now have an exported copy of the App Service Certificate in a .pfx format and with a password ready to be used anywhere you want.

    @Michael Gaddis FYI

    7 people found this answer helpful.

  2. Dave York 15 Reputation points
    2023-01-25T22:42:59.7533333+00:00

    Why doesn't certreq -config give an option to set a PFX password?

    seems extremely ridiculous we have to get a pfx from an internal CA, THEN import it into local cert store JUST to export it again to set a password

    Microsoft - if you're reading this - you need to put some new work into certreq and internal CA if you're going to keep supporting it as a product

    3 people found this answer helpful.
    0 comments No comments

  3. Michael Gaddis 11 Reputation points
    2022-11-17T20:42:01.323+00:00

    Well guys, that's great, glad it worked for you but the link no longer works, how about posting the answer here.

    2 people found this answer helpful.
    0 comments No comments

  4. SnehaAgrawal-MSFT 22,706 Reputation points Moderator
    2022-02-17T17:40:43.477+00:00

    Thanks for reply! Once you created the certificate in Azure Key vault and downloaded same as in pfx format you need to configure password for .pfx this is required while uploading a pfx, you always need to provide a password.

    1 person found this answer helpful.

  5. SnehaAgrawal-MSFT 22,706 Reputation points Moderator
    2022-02-17T08:50:25.16+00:00

    Thanks for asking question! If I have understood right you are trying to Import a certificate from Key vault, If so then you may want to know that you can import a PKCS12 certificate from Key Vault into App Service as long as it satisfies the below requirements.

    175295-add-and-manage-tls-ssl-certificates-azure-app-serv.png

    Also, By default, the App Service resource provider doesn’t have access to the Key Vault.

    In order to use a Key Vault for a certificate deployment, you need to authorize the resource provider read access to the KeyVault.

    Also, check if you are owner of the subscription and not contributor might helps.

    Let us know if issue remains.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.