Azure Key Vault "Unsupported key size" when importing an RSA certificate if root and intermediate are elliptic curve (EC)

Martin Himken 106 Reputation points MVP
2020-09-18T08:14:26.453+00:00

I receive an error when importing a certificate to an Azure Key Vault and I'm not sure why. It's probably related to https://github.com/Azure/azure-powershell/issues/9241 somehow. Here's the scenario:

  • The root is EC all around 25659-image.png
  • The intermediate is EC all around 25660-image.png

The following certificate can be imported, but is unfavorably as long as many old applications don't understand v3 certificates (elliptic curves):
25775-image.png

The goal however is to import the following certificate, that's using v2 and a RSA2048 private key:
25726-image.png

This apparently results in the following error - regardless if tried through PowerShell or GUI (read website):
25764-image.png

Is this just not a scenario that has been considered? Is this a bug? It looks a lot like it expects an EC (hence "Supported sizes are [256, 384, 521]") even though its an RSA private key.

Further information:
I stumbled upon this when trying to create a VMMS for Cloud Management Gateway through the ConfigMgr Technical Preview 2009. However, since this seems to be a general issue regarding Azure Key Vault (as the "bad request" shows up in the CloudMgr.log as a response from Azure) I opened this question here. The issue has also been reported to software engineers from ME-CM. There's an additional but non-related issue that the MECM Console crashes right now if the certificate is v3.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,452 questions
{count} votes

Accepted answer
  1. Martin Himken 106 Reputation points MVP
    2020-09-24T14:24:25.777+00:00

    Ok, I was able to do it today. The following certificate can be uploaded successfully. Redoing the CA and retracting my steps and recreating all certificates was a pain, but apparently worth it. Apparently I selected the wrong algo somewhere down the setup. These are the exact same certificate templates, these were not touched. Seems I somewhere configured ECDSA to be the default instead of ECDH.

    28124-image.png

    Root now looks like this:
    28074-image.png

    And SubCA like this:
    28030-image.png

    So as long as the customers didn't do the same mistakes I did (wherever these were made), this works.

    Additional Info:

    • Root CA and Sub CA Registry Info 1+2 (EncryptionCSP and CSP) - however according to the registry backup these are the same as before
      28055-image.png
      28018-image.png
    • The template now has the following settings available (where it only had ECDSA before)
      28075-image.png

    Only issue that still remains, but is unrelated to key vault is the MEMCM Console crashing when using an ECDH_P384.

    This topic should be answered with this. Thanks for your support.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.