How can I create an X509Certificate2 object from an Azure Key Vault KeyBundle

Question

I am using Azure Key Vault to protect our keys and secrets, but I am unsure how I can use the KeyBundle I retrieve using the .net SDK. How can I create an X509Certificate2 objec

Answer 1

When you import / create a certificate in KeyVault, 3 entities are created:

• Certificate - contains all the relevant details about the certificate, including its public part (i.e. public key, validity period, thumbprint etc.)

• Secret - contains the private key (which is the private part of the certificate) in base64

• Key - I don't know, but irrelevant for this thread.

You could create X509Certificate2 object with either the Certificate object or the Secret object.

In case you want the X509Certificate2 to contain the private key, then of course you would need to fetch the Secret entity's value and do the following:

SecretBundle certificatePrivateKeySecretBundle =
    await keyVaultClient.GetSecretAsync(certificateIdentifierSecretPart);

byte[] privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value);
X509Certificate2 certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string) null, X509KeyStorageFlags.MachineKeySet);

The certificateIdentifierSecretPart equals the certificate's secret part path: https://.vaults.azure.net/secrets/

Note the /secrets/ path.