question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Cannot import certificate to Keyvault with customized policy

See original GitHub issue

Describe the bug I am trying to import a certificate to Keyvault with a customized policy. The certificate is self-signed with method CertificateRequest.CreateSelfSigned, and the key policy I need here is exportable = false.

Expected behavior The certificate should be successfully imported and Keyvault should response 201.

Actual behavior (include Exception or Stack Trace) The certificate was not imported successfully. Keyvault replies 400 with

{"error":{"code":"BadParameter","message":"Property policy has invalid value\r\n"}}

To Reproduce

// Prepare a certificate request.
            using var certificateKey = RSA.Create(2048);
            var certificateRequest = new CertificateRequest(<subject>, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
            // https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients
            certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 0, true));
            certificateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));

            // Sign the certificate.
            using var certificate = certificateRequest.CreateSelfSigned(
                DateTimeOffset.UtcNow,
                DateTimeOffset.UtcNow.AddYears(1)
            );

            // Export the certificate.
            var pfx = certificate.Export(X509ContentType.Pfx);
            using (Stream file = File.OpenWrite(@"<path>"))
            {
                file.Write(pfx, 0, pfx.Length);
            }

            // Upload the certificate.
            var certificateOptions = new ImportCertificateOptions(<cert-name>, certificate.Export(X509ContentType.Pkcs12));
            certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);
            certificateOptions.Policy.KeySize = 2048;
            certificateOptions.Policy.KeyType = CertificateKeyType.Rsa;
            certificateOptions.Policy.Exportable = false;
            certificateOptions.Policy.ReuseKey = false;
            var certificateWithPolicy = _certificateClient.ImportCertificate(certificateOptions).Value;

Note that:

  1. Some values are masked with “<>” just to protect data that might be confidential.
  2. I export the same certificate as a file and import it using az cli command az keyvault certificate import --name --vault-name --file --policy with policy
{
    "issuerParameters": {
        "certificateTransparency": null,
        "certificateType": null,
        "name": "Self"
    },
    "keyProperties": {
        "curve": null,
        "exportable": false,
        "keySize": 2048,
        "keyType": "RSA",
        "reuseKey": false
    }
}

and it works as expected. So I suspect it is a bug, but maybe I did something wrong with .NET sdk.

Environment:

  • Azure.Security.KeyVault.Certificates 4.0.2
  • dotnet 3.1.102
  • az cli 2.1.0

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:12 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
xiaoyang-connyuncommented, May 1, 2020

Do you need to create it via the SDK (e.g. need to repeat the process), or can you use the az CLI till we can get a fix into the upcoming preview?

Currently, the target environment is Azure Function and the process is triggered on demand, so I need the SDK. For an intermediate solution, I can use az cli, this is acceptable as far as I do not need to wait the fix for too long. I see the milestone is set to June, I think this is fine to me.

0reactions
xiaoyang-connyuncommented, Jun 26, 2020

@xiaoyang-connyun thanks for confirming this works for you.

We are working with the service team to determine what the correct behavior for these options should be. The SDK was operating under the assumption that ContentType could be inferred based on the certificate content. However, the policy seems to expect a ContentType to always be set as it will not be inferred from the certificate content.

In addition, the July release of Azure.Security.KeyVault.Certificates will include a fix (linked to this issue) which prevented the ReuseKey and Exportable policy options from being serialized into the ImportCertificate request if specified in isolation.

I’m going to close this Issue since you now have a workable solution but we will loop back to link any changes to docs or samples addressing the behavior of certificate policy properties to this issue.

Thanks, I appreciate that.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Azure Key Vault PFX import not showing correct certificate ...
I have problems with importing certificates into Azure Key Vault. I have created a cert/fullchain/privatekey using Letsencrypt certbot.
Read more >
Unable to import key vault certificate to app service
When , I perform the import certificate operation in the TLS/SSL Settings , the access policy get automatically updated with the Azure App ......
Read more >
Binding a certificate to an azure function app
1 Answer 1 · Within your key vault, go to Settings -> Access policies · Change the Permission model setting to use Vault...
Read more >
Troubleshooting SSL
You may be encountering an issue where a Linux package installation thinks that the custom certificates have already been added. To resolve, delete...
Read more >
Certificates with Azure Key Vault and Nginx Ingress Controller
In this article, we will take a look at getting a certificate from Azure Key Vault to Azure Kubernetes service. Next, we will...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found