Learn how to export certificates from Azure Key Vault. You can export certificates by using the Azure CLI, Azure PowerShell, or the Azure portal.
About Azure Key Vault certificates
Azure Key Vault allows you to easily provision, manage, and deploy digital certificates for your network. It also enables secure communications for applications. See Azure Key Vault certificates for more information.
Composition of a certificate
When a Key Vault certificate is created, an addressable key and secret are created that have the same name. The Key Vault key allows key operations. The Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata. Go to Composition of a certificate for more information.
Exportable and non-exportable keys
After a Key Vault certificate is created, you can retrieve it from the addressable secret with the private key. Retrieve the certificate in PFX or PEM format.
Exportable: The policy used to create the certificate indicates the key is exportable.
Non-exportable: The policy used to create the certificate indicates the key is non-exportable. In this case, the private key isn't part of the value when it's retrieved as a secret.
Supported keytypes: RSA, RSA-HSM, EC, EC-HSM, oct (listed here)
Exportable is only allowed with RSA, EC. HSM keys would be non-exportable.
You can export stored certificates in Azure Key Vault by using the Azure CLI, Azure PowerShell, or the Azure portal.
Note
Only require a certificate password when you import the certificate in the key vault. Key Vault doesn't save the associated password. When you export the certificate, the password is blank.
Use this command in Azure PowerShell to get the certificate named TestCert01 from the key vault named ContosoKV01. To download the certificate as a PFX file, run following command. These commands access SecretId, and then save the content as a PFX file.
On the Azure portal, after you create/import a certificate on the Certificate blade, you get a notification that the certificate is successfully created. Select the certificate and the current version to see the option to download.
To download the certificate, select Download in CER format or Download in PFX/PEM format.
Export Azure App Service certificates
Azure App Service certificates are a convenient way to purchase SSL certificates. You can assign them to Azure Apps from within the portal. After you import them, the App Service certificates are located under secrets.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.