Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
661 questions
"Authority Key Identifier Extension is malformed" when importing self-signed certificate to Azure Key Vault
Feng Huang
1
Reputation point
When I try to import a self-signed certificate to Azure Key Vault, I get the following error:
CODE
BadParameter
MESSAGE
The specified X.509 certificate content is invalid. Error: x.509 authority key identifier extension is malformed..
I have checked the certificate using openssl x509 -in test.pfx -text -noout and the authority key identifier extension looks like:
X509v3 extensions:
X509v3 Subject Key Identifier:
30:EB:F8:DD:7A:14:20:2E:52:C8:FF:0D:61:01:2C:18:7F:9A:4F:8E
X509v3 Authority Key Identifier:
DirName:/C=US/ST=California/L=Example/O=Example Ltd/CN=example.com
serial:5A:D2:2A:5C:09:73:01:89:3B:2F:11:E8:FA:36:B3:F2:67:DC:AF:C8
(Note: I have anonymized the data in DirName)
Any help on why this is malformed? How can I generate a good certificate to be imported to the the key vault?
BTW, the certificate works fine for Application Gateway when I upload it manually.
Regards,
Feng
{count} votes
-
ShashiShailaj-MSFT 7,411 Reputation points Microsoft Employee
2022-02-22T14:47:57.957+00:00 @Feng Huang The AKI value should be same as the SKI value for a self signed certificate . In your case, it does not seem to be the same due to which I believe you are getting the error and Key vault is not accepting that . I am not sure about the application gateway and why it is allowing that certificate but I have never seen a self-signed certificate with different values of AKI and SKI but I may be missing something . Can you share as to how you generated this self signed certificate?
Sign in to comment