question

WassbergSebastian-7033 avatar image
2 Votes"
WassbergSebastian-7033 asked AndyHartmann-5013 commented

"The parameter KeyVault Certificate has an invalid value" when deploying Azure Web App Certificate through Key Vault

So I have been trying to upload a cert from keyvault to my azure we app. I followed this guide:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

When trying to create the Microsoft.Web/certificates resource I get the error:

 {
   "Code": "BadRequest",
   "Message": "The parameter KeyVault Certificate has an invalid value.",
   "Target": null,
   "Details": [
     {
       "Message": "The parameter KeyVault Certificate has an invalid value."
     },
     {
       "Code": "BadRequest"
     },
     {
       "ErrorEntity": {
         "ExtendedCode": "51008",
         "MessageTemplate": "The parameter {0} has an invalid value.",
         "Parameters": [
           "KeyVault Certificate"
         ],
         "Code": "BadRequest",
         "Message": "The parameter KeyVault Certificate has an invalid value."
       }
     }
   ],
   "Innererror": null
 }

I got the same error when trying to deploy when using this template as a reference: https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault

I have tried with two different certs that are in use for us in production. When uploading the certs manually in the app service TLS/SSL settings -> Private Key Certificate the certs work as expected.

When downloading the secret uploaded with the PS script as a certificate it seams very small (1kb vs 5kb of the original cert) and I cannot open it with the cert password so my best guess is that there is something wrong with the upload.

I have no idea how to debug this futher.

azure-webapps-ssl-certificates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

erjosito avatar image
3 Votes"
erjosito answered

Hi Sebastian,

I had just the same problem. In my case the reason was because the cert in AKV was imported as pem and not as pcks12, and hence the content type was wrong (should be application/x-pkcs12). Re-importing the cert from a pfx file with the --password parameter (az keyvault certificate import) made the trick for me, after that I could import it from the key vault to the webapp.

Hth

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyHartmann-5013 avatar image
1 Vote"
AndyHartmann-5013 answered AndyHartmann-5013 commented

so I conclude that if I generated a CSR in the key-vault with issuance policy - content type "PEM" (vs. PKCS #12) and obtained a certificate from an authority using that CSR, merged that CRT to have a valid certificate in my vault, that is essentially useless and cannot be imported / used for app services? If it can, how?
Thank you

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you find a way to reuse the certificate or did you have to redo CSR with content type PKCS#12?

0 Votes 0 ·

no, did not; but luckly I had a copy of the orignal CSR .... with the CSR I got (from the certificate issuing authority) a CRT, CSR (again, but not the same - careful!), a DER, P7B and CERT-CA.CRT (vs. the CERT.CRT above).

with that, back in Azure, select the pending certificate, and select “Certificate Operation” → “Merge Signed Request”, select the CRT that will combine the CSR (that contains the “private key”) into a valid certificate. you can then download it using “Download in PFX/PEM format”; having selected PEM while generating the CSR will yield a PEM file.

get the openSSL tool, get the PEM from Azure: select the certificate in the vault, select the current version, then “Download in CER format” and next to it “Download in PFX/PEM format”, will download in the format set in the CSR (in my case: PEM)

using the openSSL tool, create the PFX from the PEM:

  1. Generate KEY from PEM: openssl pkey -in cert.pem -out cert.key

  2. Create a password [the password], the PFX contains both the public and private keys so openssl does not create the PFX unless a password is provided

  3. openssl pkcs12 -export -in cert.cer -inkey cert.key -out cert.pfx -certfile cert-ca.crt -password pass:[the password]

Lastly, use the certificate (in my case I needed it in the App Service)
1. Go to App Service (or wherever the certificate is to be bound to)
2. on left side, under select Settings → TLS/SSL settings
3. Select “Add TLS/SSL Binding”, in the pop-up window select the domain name the certificate is used for, and in TLS/SSL type select “S ... [sorry - out of space!!!!]




0 Votes 0 ·
mohamedshehata avatar image
1 Vote"
mohamedshehata answered mohamedshehata edited

I had the same error , I found this answer on stackoverflow, it helped:

There should be a service principal in the Azure AD, if not you can create it.

Get-AzADServicePrincipal -DisplayName microsoft.azure.certificateregistration

You need to assign that permission to keyvault via either access policies OR RBAC.

I had this service principal already created. I'm not sure whether it is created when you start the app service certificate order or not.



It is mentioned here:

https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-certificate-standard

By default, 'Microsoft.CertificateRegistration' and 'Microsoft.Web' RPs don't have access to the Key Vault specified in the template hence you need to authorize these RPs by executing the following PowerShell commands before deploying the template:

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName f3c21649-0979-4721-ac85-b0216b2cf413 -PermissionsToSecrets get,set,delete
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
ServicePrincipalName parameter represents these RPs in user tenant and will remain same for all Azure subscriptions. This is a onetime operation. Once you have a configured a Key Vault properly, you can use it to store as many App Service Certificates as you want without executing these PowerShell commands again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.