Backup-AzKeyVaultCertificate

Backs up a certificate in a key vault.

Syntax

Backup-AzKeyVaultCertificate
      [-VaultName] <String>
      [-Name] <String>
      [[-OutputFile] <String>]
      [-Force]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Backup-AzKeyVaultCertificate
      [-InputObject] <PSKeyVaultCertificateIdentityItem>
      [[-OutputFile] <String>]
      [-Force]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

The Backup-AzKeyVaultCertificate cmdlet backs up a specified certificate in a key vault by downloading it and storing it in a file. If the certificate has multiple versions, all its versions will be included in the backup. Because the downloaded content is encrypted, it cannot be used outside of Azure Key Vault. You can restore a backed-up certificate to any key vault in the subscription that it was backed up from, as long as the vault is in the same Azure geography. Typical reasons to use this cmdlet are:

  • You want to retain an offline copy of the certificate in case you accidentally delete the original from the vault.

  • You created a certificate using Key Vault and now want to clone the object into a different Azure region, so that you can use it from all instances of your distributed application. Use the Backup-AzKeyVaultCertificate cmdlet to retrieve the certificate in encrypted format and then use the Restore-AzKeyVaultCertificate cmdlet and specify a key vault in the second region.

Examples

Example 1: Back up a certificate with an automatically generated file name

Backup-AzKeyVaultCertificate -VaultName 'mykeyvault' -Name 'mycert'

C:\Users\username\mykeyvault-mycert-1527029447.01191

This command retrieves the certificate named MyCert from the key vault named MyKeyVault and saves a backup of that certificate to a file that is automatically named for you, and displays the file name.

Example 2: Back up a certificate to a specified file name

Backup-AzKeyVaultCertificate -VaultName 'MyKeyVault' -Name 'MyCert' -OutputFile 'C:\Backup.blob'

C:\Backup.blob

This command retrieves the certificate named MyCert from the key vault named MyKeyVault and saves a backup of that certificate to a file named Backup.blob.

Example 3: Back up a previously retrieved certificate to a specified file name, overwriting the destination file without prompting.

$cert = Get-AzKeyVaultCertificate -VaultName 'MyKeyVault' -Name 'MyCert'
Backup-AzKeyVaultCertificate -Certificate $cert -OutputFile 'C:\Backup.blob' -Force

C:\Backup.blob

This command creates a backup of the certificate named $cert.Name in the vault named $cert.VaultName to a file named Backup.blob, silently overwriting the file if it exists already.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Force

Overwrite the given file if it exists

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Secret to be backed up, pipelined in from the output of a retrieval call.

Type:PSKeyVaultCertificateIdentityItem
Aliases:Certificate
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Name

Secret name. Cmdlet constructs the FQDN of a secret from vault name, currently selected environment and secret name.

Type:String
Aliases:SecretName
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-OutputFile

Output file. The output file to store the backup of the certificate. If not specified, a default filename will be generated.

Type:String
Position:2
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-VaultName

Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSKeyVaultCertificateIdentityItem

Outputs

String