How can I create an X509Certificate2 object from an Azure Key Vault KeyBundle

后端 未结 3 831
死守一世寂寞
死守一世寂寞 2021-02-19 17:56

I am using Azure Key Vault to protect our keys and secrets, but I am unsure how I can use the KeyBundle I retrieve using the .net SDK. How can I create an X509Certificate2 objec

3条回答
  •  悲&欢浪女
    2021-02-19 18:22

    When you import / create a certificate in KeyVault, 3 entities are created:

    • Certificate - contains all the relevant details about the certificate, including its public part (i.e. public key, validity period, thumbprint etc.)

    • Secret - contains the private key (which is the private part of the certificate) in base64

    • Key - I don't know, but irrelevant for this thread.

    You could create X509Certificate2 object with either the Certificate object or the Secret object.

    In case you want the X509Certificate2 to contain the private key, then of course you would need to fetch the Secret entity's value and do the following:

    SecretBundle certificatePrivateKeySecretBundle =
        await keyVaultClient.GetSecretAsync(certificateIdentifierSecretPart);
    
    byte[] privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value);
    X509Certificate2 certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string) null, X509KeyStorageFlags.MachineKeySet);
    

    The certificateIdentifierSecretPart equals the certificate's secret part path: https://.vaults.azure.net/secrets/

    Note the /secrets/ path.

提交回复
热议问题