Import-AzKeyVaultCertificate

Module:

Az.KeyVault Module

Imports a certificate to a key vault.

Syntax

ImportCertificateFromFile (Default)

Import-AzKeyVaultCertificate
    [-VaultName] <String>
    [-Name] <String>
    -FilePath <String>
    [-Password <SecureString>]
    [-PolicyPath <String>]
    [-PolicyObject <PSKeyVaultCertificatePolicy>]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ImportWithPrivateKeyFromString

Import-AzKeyVaultCertificate
    [-VaultName] <String>
    [-Name] <String>
    -CertificateString <String>
    [-ContentType <String>]
    [-Password <SecureString>]
    [-PolicyPath <String>]
    [-PolicyObject <PSKeyVaultCertificatePolicy>]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ImportWithPrivateKeyFromCollection

Import-AzKeyVaultCertificate
    [-VaultName] <String>
    [-Name] <String>
    [-CertificateCollection] <X509Certificate2Collection>
    [-PolicyPath <String>]
    [-PolicyObject <PSKeyVaultCertificatePolicy>]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The Import-AzKeyVaultCertificate cmdlet imports a certificate into a key vault. You can create the certificate to import by using one of the following methods:

• Use Add-AzKeyVaultCertificate to create a certificate signing request and submit it to a certificate authority. See https://learn.microsoft.com/azure/key-vault/certificates/create-certificate-signing-request
• Use an existing certificate package file, such as a .pfx or .p12 file, which contains both the certificate and private key.

Examples

Example 1: Import a key vault certificate

$Password = ConvertTo-SecureString -String "****" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -FilePath "C:\Users\contosoUser\Desktop\import.pfx" -Password $Password

Name        : importCert01
Certificate : [Subject]
                CN=contoso.com

              [Issuer]
                CN=contoso.com

              [Serial Number]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

              [Not Before]
                2/8/2016 3:11:45 PM

              [Not After]
                8/8/2016 4:21:45 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Thumbprint  : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Tags        :
Enabled     : True
Created     : 2/8/2016 11:50:43 PM
Updated     : 2/8/2016 11:50:43 PM

The first command uses the ConvertTo-SecureString cmdlet to create a secure password, and then stores it in the $Password variable. The second command imports the certificate named ImportCert01 into the CosotosoKV01 key vault.

Example 2: Import a key vault certificate by CertificateString

$Password = ConvertTo-SecureString -String "****" -AsPlainText -Force
$Base64String = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("import.pfx"))
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -CertificateString $Base64String -Password $Password

Name        : importCert01
Certificate : [Subject]
                CN=contoso.com

              [Issuer]
                CN=contoso.com

              [Serial Number]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

              [Not Before]
                2/8/2016 3:11:45 PM

              [Not After]
                8/8/2016 4:21:45 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Thumbprint  : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Tags        :
Enabled     : True
Created     : 2/8/2016 11:50:43 PM
Updated     : 2/8/2016 11:50:43 PM

The first command uses the ConvertTo-SecureString cmdlet to create a secure password, and then stores it in the $Password variable. The second command reads a certificate as a Base64 encoded representation. The third command imports the certificate named ImportCert01 into the CosotosoKV01 key vault.

Example 3: Import a key vault certificate with PolicyFile

$Password = ConvertTo-SecureString -String "****" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -FilePath "C:\Users\contosoUser\Desktop\import.pfx" -Password $Password -PolicyPath "C:\Users\contosoUser\Desktop\policy.json"

Name        : importCert01
Certificate : [Subject]
                CN=contoso.com

              [Issuer]
                CN=contoso.com

              [Serial Number]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

              [Not Before]
                2/8/2016 3:11:45 PM

              [Not After]
                8/8/2016 4:21:45 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

KeyId         : https://ContosoKV01.vault.azure.net/keys/ImportCert01/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SecretId      : https://ContosoKV01.vault.azure.net/secrets/ImportCert01/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thumbprint    : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Policy        :
                Secret Content Type: application/x-pkcs12
                Issuer Name    : Unknown
                Created On     : 3/22/2023 6:00:52 AM
                Updated On     : 4/27/2023 9:52:53 AM
                ...
RecoveryLevel : Recoverable+Purgeable
Enabled       : True
Expires       : 6/9/2023 6:20:26 AM
NotBefore     : 3/11/2023 6:20:26 AM
Created       : 4/24/2023 9:05:51 AM
Updated       : 4/24/2023 9:05:51 AM
Tags          : {}
VaultName     : ContosoKV01
Name          : ImportCert01
Version       : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Id            : https://ContosoKV01.vault.azure.net/certificates/ImportCert01/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The first command uses the ConvertTo-SecureString cmdlet to create a secure password, and then stores it in the $Password variable. The second command imports the certificate named ImportCert01 into the CosotosoKV01 key vault with a policy defined by file.

Parameters

-CertificateCollection

Specifies the certificate collection to add to a key vault.

Parameter properties

Type:	X509Certificate2Collection
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ImportWithPrivateKeyFromCollection

Position:	2
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-CertificateString

Base64 encoded representation of the certificate object to import. This certificate needs to contain the private key.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ImportWithPrivateKeyFromString

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ContentType

Specifies the type of the certificate to be imported. Regards certificate string as PFX format by default.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ImportWithPrivateKeyFromString

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-FilePath

Specifies the path of the certificate file that this cmdlet imports.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ImportCertificateFromFile

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Name

Specifies the certificate name. This cmdlet constructs the fully qualified domain name (FQDN) of a certificate from key vault name, currently selected environment, and certificate name.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	CertificateName

Parameter sets

(All)

Position:	1
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-Password

Specifies the password for a certificate file.

Parameter properties

Type:	SecureString
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

ImportCertificateFromFile

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

ImportWithPrivateKeyFromString

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-PolicyObject

An in-memory object to specify management policy for the certificate. Mutual-exclusive to PolicyPath.

Parameter properties

Type:	PSKeyVaultCertificatePolicy
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-PolicyPath

A file path to specify management policy for the certificate that contains JSON encoded policy definition. Mutual-exclusive to PolicyObject.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Parameter properties

Type:	Hashtable
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-VaultName

Specifies the key vault name into which this cmdlet imports certificates. This cmdlet constructs the fully qualified domain name (FQDN) of a key vault based on the name and currently selected environment.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

String

X509Certificate2Collection

Hashtable

Outputs

PSKeyVaultCertificate

Related Links

• Remove-AzKeyVaultCertificate
• Creating and merging CSR in Key Vault