Export Azure SSL certificate as pfx file

后端 未结 3 520
夕颜
夕颜 2021-01-05 02:02

I purchased a wild card certificate from azure. It sits right now in the Key Vault. I need to upload it to our other server which hosts one of our other applications for the

相关标签:
3条回答
  • 2021-01-05 02:42

    I've found @dmitry-kazakov's answer to be helpful, but had to perform some minor updates to get it to work for me.

    First I had to execute this command and assign it to $azureUserPrincipalName:

    PS Azure:\> Get-Azureaduser
    
    ObjectId                             DisplayName UserPrincipalName                                             UserType
    --------                             ----------- -----------------                                             --------
    89500455-0019-4059-8ef8-f1w32993z520 A User rmoore_roundlabinc.com#EXT#@rmooreroundlabinc.onmicrosoft.com Member
    

    Then here is the updated script:

    $appServiceCertificateName = "ascdemo" #This is the "Subject Name" in Azure, not "Name"
    $resourceGroupName = "ascdemorg"
    $azureLoginEmailId = "user@microsoft.com"
    $subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"
    $azureUserPrincipalName = "user@microsoft.com#EXT#@user@microsoft.com.onmicrosoft.com"
    
    Login-AzureRmAccount
    Set-AzureRmContext -SubscriptionId $subscriptionId
    
    $ascResource= Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2019-05-01"
    $keyVaultId = ""
    $keyVaultSecretName = ""
    
    $certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
    $certificateName = $certificateProperties[0].Name
    $keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
    $keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
    
    $keyVaultIdParts = $keyVaultId.Split("/")
    $keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
    $keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
    Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureUserPrincipalName -PermissionsToSecrets get
    $secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
    $pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
    $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
    Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
    Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
    Write-Host "PFX password: $pfxPassword"
    
    Powershell –ExecutionPolicy Bypass
    .\copyasc.ps1
    
    0 讨论(0)
  • 2021-01-05 02:44

    You can create a local PFX copy of Azure App Service Certificate using PowerShell.

    Provide appropriate values from the following variables and save the script as copyasc.ps1.

    Variables:

    $appServiceCertificateName = "ascdemo"
    $resourceGroupName = "ascdemorg"
    $azureLoginEmailId = "user@microsoft.com"
    $subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"
    

    copyasc.ps1:

    $appServiceCertificateName = ""
    $resourceGroupName = ""
    $azureLoginEmailId = ""
    $subscriptionId = ""
    
    Login-AzureRmAccount
    Set-AzureRmContext -SubscriptionId $subscriptionId
    
    $ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
    $keyVaultId = ""
    $keyVaultSecretName = ""
    
    $certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
    $certificateName = $certificateProperties[0].Name
    $keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
    $keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
    
    $keyVaultIdParts = $keyVaultId.Split("/")
    $keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
    $keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
    Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
    $secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
    $pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
    $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
    Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
    Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
    Write-Host "PFX password: $pfxPassword"
    

    Type the following commands in PowerShell console to execute the script:

    Powershell –ExecutionPolicy Bypass
    .\copyasc.ps1
    

    You can find more details on Azure App Service Team Blog Creating a local PFX copy of App Service Certificate

    If you have an App Service Certificate that you would like to use outside of Azure App Service ecosystem, then give this a try and let us know how it goes. If you run into any issues, please let us know on the Stackoverflow or on the Azure App Service forum.

    0 讨论(0)
  • 2021-01-05 02:58

    Some docs are outdated, so here is a version of how to export it with PowerShell and Azure CLI on Mac + convert to PEM format for Nginx. Sharing just because it was painful for me, so hopefully it will be useful to someone:

    pwsh
    az keyvault secret show --vault-name KeyVaultName --name SecretName | tail -n 1 | cut -d ' ' -f 3 | pbcopy
    echo $(pbpaste) > /tmp/pass
    $secret=$(cat /tmp/pass)
    $pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
    $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [io.file]::WriteAllBytes("./appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword))
    openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.pem -clcerts -nokeys -password pass:$(echo $pfxPassword)
    openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.key_protected -nocerts -password pass:$(echo $pfxPassword)
    openssl rsa -in /tmp/certificate.key_protected -out /tmp/certificate.key -passin pass:$(echo $pfxPassword)
    

    The last three lines are taken from here and the middle part is a stripped-down version from the main guide

    0 讨论(0)
提交回复
热议问题