Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Azure/azure-sdk-for-java]: import certificate to keyvault by CertificateClient failed

See original GitHub issue

Query/Question try to use keyvault to upload a customized certificate(cert.pem) failed.

Setup (please complete the following information if applicable):

OS: win10
IDE: IntelliJ
Library/Libraries: com.azure:azure-security-keyvault-certificates:4.4.1

Information Checklist error:

Exception in thread "main" com.azure.core.exception.HttpResponseException: Status code 400, "{"error":{"code":"BadParameter","message":"No certificate with private key found in the specified X.509 certificate content. Please specify X.509 certificate content with only one certificate containing private key."}}"
	at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:348)
	at com.azure.core.implementation.http.rest.SyncRestProxy.ensureExpectedStatus(SyncRestProxy.java:126)
	at com.azure.core.implementation.http.rest.SyncRestProxy.handleRestReturnType(SyncRestProxy.java:209)
	at com.azure.core.implementation.http.rest.SyncRestProxy.invoke(SyncRestProxy.java:79)
	at com.azure.core.implementation.http.rest.RestProxyBase.invoke(RestProxyBase.java:94)
	at com.azure.core.http.rest.RestProxy.invoke(RestProxy.java:95)
	at com.sun.proxy.$Proxy3.importCertificate(Unknown Source)
	at com.azure.security.keyvault.certificates.implementation.CertificateClientImpl.importCertificateWithResponse(CertificateClientImpl.java:1869)
	at com.azure.security.keyvault.certificates.CertificateClient.importCertificateWithResponse(CertificateClient.java:1569)
	at com.azure.security.keyvault.certificates.CertificateClient.importCertificate(CertificateClient.java:1539)
	at org.hhu.key.vault.demo.App.main(App.java:48)

pom.xml:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.azure</groupId>
            <artifactId>azure-sdk-bom</artifactId>
            <version>1.2.7</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>
<dependencies>
    <dependency>
        <groupId>com.azure</groupId>
        <artifactId>azure-security-keyvault-certificates</artifactId>
    </dependency>
    <dependency>
        <groupId>com.azure</groupId>
        <artifactId>azure-identity</artifactId>
    </dependency>
</dependencies>

customized certificate:

openssl req -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -days 365

code:

ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
        .authorityHost(authorityHost)
        .tenantId(tenantId)
        .clientId(clientId)
        .clientSecret(clientSecret)
        .build();

CertificateClient certificateClient = new CertificateClientBuilder()
        .credential(clientSecretCredential)
        .vaultUrl(url)
        .buildClient();

CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Certificate certificate = certificateFactory.generateCertificate(Files.newInputStream(Paths.get("C:/chen/tmp/cert.pem")));
byte[] bytes = certificate.getEncoded();

ImportCertificateOptions importCertificateOptions = new ImportCertificateOptions("cert-test", bytes);
importCertificateOptions.setEnabled(true);
importCertificateOptions.setPassword("1234");

// ERROR
KeyVaultCertificateWithPolicy keyVaultCertificateWithPolicy = certificateClient.importCertificate(importCertificateOptions);

Issue Analytics

State:
Created 10 months ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

joshfreecommented, Nov 8, 2022

@vcolin7 could you please follow up with @CQ-Developer on this github issue?

0reactions

vcolin7commented, Nov 30, 2022

Hi @CQ-Developer, sorry for not getting back to you earlier, I was out for most of last week. Your use of a SecretClient sounds like an adequate approach, as the Key Vault service itself stores the private key of a certificate it creates as a secret, which in turn cannot be retrieved with as CertificateClient.

Top Results From Across the Web

Method importCertificate in azure-security-keyvault-certificates ...

I'm trying to upload pre-existing certificates to our key vault. ... The call fails in the SDK class CertificateService .

Cannot get certificate from Azure key vault - Failed to acquire ...

1. Have you checked Access Policy of Keyvault. if at all you have permission to fetch certificates in access policy? · @Jatin I...

Azure key vault Importing Certificate with 2048bit key failing

We have a client certificate in PKCS#12 X.509 format that a client is attempting to import into an Azure key vault.

Azure.Security.KeyVault.Certificates 4.4.0 - NuGet

This is the Microsoft Azure Key Vault Certificates client library. ... dotnet add package Azure. ... Azure Key Vault Certificate client library for...

azure-security-keyvault-certificates : 4.3.5 - Maven Central

This module contains client library for Microsoft Azure KeyVault Certificates. Home page, https://github.com/Azure/azure-sdk-for-java. Source code, scm:git ...