Import-AzKeyVaultCertificate

Module:

Az.KeyVault

Imports a certificate to a key vault.

Syntax

Import-AzKeyVaultCertificate
      [-VaultName] <String>
      [-Name] <String>
      -FilePath <String>
      [-Password <SecureString>]
      [-PolicyPath <String>]
      [-PolicyObject <PSKeyVaultCertificatePolicy>]
      [-Tag <Hashtable>]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Import-AzKeyVaultCertificate
      [-VaultName] <String>
      [-Name] <String>
      -CertificateString <String>
      [-ContentType <String>]
      [-Password <SecureString>]
      [-PolicyPath <String>]
      [-PolicyObject <PSKeyVaultCertificatePolicy>]
      [-Tag <Hashtable>]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Import-AzKeyVaultCertificate
      [-VaultName] <String>
      [-Name] <String>
      [-PolicyPath <String>]
      [-PolicyObject <PSKeyVaultCertificatePolicy>]
      [-CertificateCollection] <X509Certificate2Collection>
      [-Tag <Hashtable>]
      [-DefaultProfile <IAzureContextContainer>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

The Import-AzKeyVaultCertificate cmdlet imports a certificate into a key vault. You can create the certificate to import by using one of the following methods:

• Use Add-AzKeyVaultCertificate to create a certificate signing request and submit it to a certificate authority. See https://learn.microsoft.com/azure/key-vault/certificates/create-certificate-signing-request
• Use an existing certificate package file, such as a .pfx or .p12 file, which contains both the certificate and private key.

Examples

Example 1: Import a key vault certificate

$Password = ConvertTo-SecureString -String "****" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -FilePath "C:\Users\contosoUser\Desktop\import.pfx" -Password $Password

Name        : importCert01
Certificate : [Subject]
                CN=contoso.com

              [Issuer]
                CN=contoso.com

              [Serial Number]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

              [Not Before]
                2/8/2016 3:11:45 PM

              [Not After]
                8/8/2016 4:21:45 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Thumbprint  : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Tags        :
Enabled     : True
Created     : 2/8/2016 11:50:43 PM
Updated     : 2/8/2016 11:50:43 PM

The first command uses the ConvertTo-SecureString cmdlet to create a secure password, and then stores it in the $Password variable. The second command imports the certificate named ImportCert01 into the CosotosoKV01 key vault.

Example 2: Import a key vault certificate by CertificateString

$Password = ConvertTo-SecureString -String "****" -AsPlainText -Force
$Base64String = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("import.pfx"))
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -CertificateString $Base64String -Password $Password

Name        : importCert01
Certificate : [Subject]
                CN=contoso.com

              [Issuer]
                CN=contoso.com

              [Serial Number]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

              [Not Before]
                2/8/2016 3:11:45 PM

              [Not After]
                8/8/2016 4:21:45 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Thumbprint  : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Tags        :
Enabled     : True
Created     : 2/8/2016 11:50:43 PM
Updated     : 2/8/2016 11:50:43 PM

The first command uses the ConvertTo-SecureString cmdlet to create a secure password, and then stores it in the $Password variable. The second command reads a certificate as a Base64 encoded representation. The third command imports the certificate named ImportCert01 into the CosotosoKV01 key vault.

Example 3: Import a key vault certificate with PolicyFile

$Password = ConvertTo-SecureString -String "****" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "ContosoKV01" -Name "ImportCert01" -FilePath "C:\Users\contosoUser\Desktop\import.pfx" -Password $Password -PolicyPath "C:\Users\contosoUser\Desktop\policy.json"

Name        : importCert01
Certificate : [Subject]
                CN=contoso.com

              [Issuer]
                CN=contoso.com

              [Serial Number]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

              [Not Before]
                2/8/2016 3:11:45 PM

              [Not After]
                8/8/2016 4:21:45 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

KeyId         : https://ContosoKV01.vault.azure.net/keys/ImportCert01/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SecretId      : https://ContosoKV01.vault.azure.net/secrets/ImportCert01/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thumbprint    : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Policy        :
                Secret Content Type: application/x-pkcs12
                Issuer Name    : Unknown
                Created On     : 3/22/2023 6:00:52 AM
                Updated On     : 4/27/2023 9:52:53 AM
                ...
RecoveryLevel : Recoverable+Purgeable
Enabled       : True
Expires       : 6/9/2023 6:20:26 AM
NotBefore     : 3/11/2023 6:20:26 AM
Created       : 4/24/2023 9:05:51 AM
Updated       : 4/24/2023 9:05:51 AM
Tags          : {}
VaultName     : ContosoKV01
Name          : ImportCert01
Version       : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Id            : https://ContosoKV01.vault.azure.net/certificates/ImportCert01/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The first command uses the ConvertTo-SecureString cmdlet to create a secure password, and then stores it in the $Password variable. The second command imports the certificate named ImportCert01 into the CosotosoKV01 key vault with a policy defined by file.

Parameters

-CertificateCollection

Specifies the certificate collection to add to a key vault.

Type:	X509Certificate2Collection
Position:	2
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-CertificateString

Base64 encoded representation of the certificate object to import. This certificate needs to contain the private key.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ContentType

Specifies the type of the certificate to be imported. Regards certificate string as PFX format by default.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:	IAzureContextContainer
Aliases:	AzContext, AzureRmContext, AzureCredential
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-FilePath

Specifies the path of the certificate file that this cmdlet imports.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-Name

Specifies the certificate name. This cmdlet constructs the fully qualified domain name (FQDN) of a certificate from key vault name, currently selected environment, and certificate name.

Type:	String
Aliases:	CertificateName
Position:	1
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-Password

Specifies the password for a certificate file.

Type:	SecureString
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-PolicyObject

An in-memory object to specify management policy for the certificate. Mutual-exclusive to PolicyPath.

Type:	PSKeyVaultCertificatePolicy
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-PolicyPath

A file path to specify management policy for the certificate that contains JSON encoded policy definition. Mutual-exclusive to PolicyObject.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Type:	Hashtable
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-VaultName

Specifies the key vault name into which this cmdlet imports certificates. This cmdlet constructs the fully qualified domain name (FQDN) of a key vault based on the name and currently selected environment.

Type:	String
Position:	0
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

String

X509Certificate2Collection

Hashtable

Outputs

PSKeyVaultCertificate

Related Links

• Remove-AzKeyVaultCertificate
• Creating and merging CSR in Key Vault