"The parameter KeyVault Certificate has an invalid value" when deploying Azure Web App Certificate through Key Vault

Wassberg Sebastian 11 Reputation points
2020-01-30T13:00:51.227+00:00

So I have been trying to upload a cert from keyvault to my azure we app. I followed this guide:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

When trying to create the Microsoft.Web/certificates resource I get the error:

{  
  "Code": "BadRequest",  
  "Message": "The parameter KeyVault Certificate has an invalid value.",  
  "Target": null,  
  "Details": [  
    {  
      "Message": "The parameter KeyVault Certificate has an invalid value."  
    },  
    {  
      "Code": "BadRequest"  
    },  
    {  
      "ErrorEntity": {  
        "ExtendedCode": "51008",  
        "MessageTemplate": "The parameter {0} has an invalid value.",  
        "Parameters": [  
          "KeyVault Certificate"  
        ],  
        "Code": "BadRequest",  
        "Message": "The parameter KeyVault Certificate has an invalid value."  
      }  
    }  
  ],  
  "Innererror": null  
}  

I got the same error when trying to deploy when using this template as a reference: https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault

I have tried with two different certs that are in use for us in production. When uploading the certs manually in the app service TLS/SSL settings -> Private Key Certificate the certs work as expected.

When downloading the secret uploaded with the PS script as a certificate it seams very small (1kb vs 5kb of the original cert) and I cannot open it with the cert password so my best guess is that there is something wrong with the upload.

I have no idea how to debug this futher.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,170 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. JoseMoreno-MSFT 16 Reputation points Microsoft Employee
    2020-02-16T22:25:45.68+00:00

    Hi Sebastian,

    I had just the same problem. In my case the reason was because the cert in AKV was imported as pem and not as pcks12, and hence the content type was wrong (should be application/x-pkcs12). Re-importing the cert from a pfx file with the --password parameter (az keyvault certificate import) made the trick for me, after that I could import it from the key vault to the webapp.

    Hth

    3 people found this answer helpful.
    0 comments No comments

  2. Andy Hartmann 6 Reputation points
    2021-07-17T14:56:20.263+00:00

    so I conclude that if I generated a CSR in the key-vault with issuance policy - content type "PEM" (vs. PKCS #12) and obtained a certificate from an authority using that CSR, merged that CRT to have a valid certificate in my vault, that is essentially useless and cannot be imported / used for app services? If it can, how?
    Thank you

    1 person found this answer helpful.

  3. Mohamed Shehata Elbeltagy 11 Reputation points
    2021-10-28T21:42:37.35+00:00

    I had the same error , I found this answer on stackoverflow, it helped:

    There should be a service principal in the Azure AD, if not you can create it.

    Get-AzADServicePrincipal -DisplayName microsoft.azure.certificateregistration

    You need to assign that permission to keyvault via either access policies OR RBAC.

    I had this service principal already created. I'm not sure whether it is created when you start the app service certificate order or not.

    It is mentioned here:

    https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-certificate-standard

    By default, 'Microsoft.CertificateRegistration' and 'Microsoft.Web' RPs don't have access to the Key Vault specified in the template hence you need to authorize these RPs by executing the following PowerShell commands before deploying the template:

    Login-AzureRmAccount
    Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
    Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName f3c21649-0979-4721-ac85-b0216b2cf413 -PermissionsToSecrets get,set,delete
    Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
    ServicePrincipalName parameter represents these RPs in user tenant and will remain same for all Azure subscriptions. This is a onetime operation. Once you have a configured a Key Vault properly, you can use it to store as many App Service Certificates as you want without executing these PowerShell commands again.

    1 person found this answer helpful.
    0 comments No comments