Export certificates from Azure Key Vault

Learn how to export certificates from Azure Key Vault. You can export certificates by using the Azure CLI, Azure PowerShell, or the Azure portal.

About Azure Key Vault certificates

Azure Key Vault allows you to easily provision, manage, and deploy digital certificates for your network. It also enables secure communications for applications. See Azure Key Vault certificates for more information.

Composition of a certificate

When a Key Vault certificate is created, an addressable key and secret are created that have the same name. The Key Vault key allows key operations. The Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata. Go to Composition of a certificate for more information.

Exportable and non-exportable keys

After a Key Vault certificate is created, you can retrieve it from the addressable secret with the private key. Retrieve the certificate in PFX or PEM format.

  • Exportable: The policy used to create the certificate indicates the key is exportable.
  • Non-exportable: The policy used to create the certificate indicates the key is non-exportable. In this case, the private key isn't part of the value when it's retrieved as a secret.

Supported keytypes: RSA, RSA-HSM, EC, EC-HSM, oct (listed here) Exportable is only allowed with RSA, EC. HSM keys would be non-exportable.

See About Azure Key Vault certificates for more information.

Export stored certificates

You can export stored certificates in Azure Key Vault by using the Azure CLI, Azure PowerShell, or the Azure portal.

Note

Only require a certificate password when you import the certificate in the key vault. Key Vault doesn't save the associated password. When you export the certificate, the password is blank.

Use the following command in the Azure CLI to download the public portion of a Key Vault certificate.

az keyvault certificate download --file
                                 [--encoding {DER, PEM}]
                                 [--id]
                                 [--name]
                                 [--subscription]
                                 [--vault-name]
                                 [--version]

View examples and parameter definitions for more information.

Downloading as certificate means getting the public portion. If you want both the private key and public metadata then you can download it as secret.

az keyvault secret download --file {nameofcert.pfx}
                            [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                            [--id]
                            [--name]
                            [--subscription]
                            [--vault-name]
                            [--version]

For more information, see parameter definitions.

Read more