I purchased a wild card certificate from azure. It sits right now in the Key Vault. I need to upload it to our other server which hosts one of our other applications for the
I've found @dmitry-kazakov's answer to be helpful, but had to perform some minor updates to get it to work for me.
First I had to execute this command and assign it to $azureUserPrincipalName
:
PS Azure:\> Get-Azureaduser
ObjectId DisplayName UserPrincipalName UserType
-------- ----------- ----------------- --------
89500455-0019-4059-8ef8-f1w32993z520 A User rmoore_roundlabinc.com#EXT#@rmooreroundlabinc.onmicrosoft.com Member
Then here is the updated script:
$appServiceCertificateName = "ascdemo" #This is the "Subject Name" in Azure, not "Name"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "user@microsoft.com"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"
$azureUserPrincipalName = "user@microsoft.com#EXT#@user@microsoft.com.onmicrosoft.com"
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId
$ascResource= Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2019-05-01"
$keyVaultId = ""
$keyVaultSecretName = ""
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureUserPrincipalName -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
Powershell –ExecutionPolicy Bypass
.\copyasc.ps1
You can create a local PFX copy of Azure App Service Certificate using PowerShell.
Provide appropriate values from the following variables and save the script as copyasc.ps1
.
Variables:
$appServiceCertificateName = "ascdemo"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "user@microsoft.com"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"
copyasc.ps1:
$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId
$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
Type the following commands in PowerShell console to execute the script:
Powershell –ExecutionPolicy Bypass
.\copyasc.ps1
You can find more details on Azure App Service Team Blog Creating a local PFX copy of App Service Certificate
If you have an App Service Certificate that you would like to use outside of Azure App Service ecosystem, then give this a try and let us know how it goes. If you run into any issues, please let us know on the Stackoverflow or on the Azure App Service forum.
Some docs are outdated, so here is a version of how to export it with PowerShell and Azure CLI on Mac + convert to PEM format for Nginx. Sharing just because it was painful for me, so hopefully it will be useful to someone:
pwsh
az keyvault secret show --vault-name KeyVaultName --name SecretName | tail -n 1 | cut -d ' ' -f 3 | pbcopy
echo $(pbpaste) > /tmp/pass
$secret=$(cat /tmp/pass)
$pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes("./appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword))
openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.pem -clcerts -nokeys -password pass:$(echo $pfxPassword)
openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.key_protected -nocerts -password pass:$(echo $pfxPassword)
openssl rsa -in /tmp/certificate.key_protected -out /tmp/certificate.key -passin pass:$(echo $pfxPassword)
The last three lines are taken from here and the middle part is a stripped-down version from the main guide