[BUG] Cannot import certificate to Keyvault with customized policy
See original GitHub issueDescribe the bug
I am trying to import a certificate to Keyvault with a customized policy.
The certificate is self-signed with method CertificateRequest.CreateSelfSigned
, and the key policy I need here is exportable = false
.
Expected behavior
The certificate should be successfully imported and Keyvault should response 201
.
Actual behavior (include Exception or Stack Trace)
The certificate was not imported successfully. Keyvault replies 400
with
{"error":{"code":"BadParameter","message":"Property policy has invalid value\r\n"}}
To Reproduce
// Prepare a certificate request.
using var certificateKey = RSA.Create(2048);
var certificateRequest = new CertificateRequest(<subject>, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
// https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients
certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 0, true));
certificateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));
// Sign the certificate.
using var certificate = certificateRequest.CreateSelfSigned(
DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddYears(1)
);
// Export the certificate.
var pfx = certificate.Export(X509ContentType.Pfx);
using (Stream file = File.OpenWrite(@"<path>"))
{
file.Write(pfx, 0, pfx.Length);
}
// Upload the certificate.
var certificateOptions = new ImportCertificateOptions(<cert-name>, certificate.Export(X509ContentType.Pkcs12));
certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);
certificateOptions.Policy.KeySize = 2048;
certificateOptions.Policy.KeyType = CertificateKeyType.Rsa;
certificateOptions.Policy.Exportable = false;
certificateOptions.Policy.ReuseKey = false;
var certificateWithPolicy = _certificateClient.ImportCertificate(certificateOptions).Value;
Note that:
- Some values are masked with “<>” just to protect data that might be confidential.
- I export the same certificate as a file and import it using
az cli
commandaz keyvault certificate import --name --vault-name --file --policy
with policy
{
"issuerParameters": {
"certificateTransparency": null,
"certificateType": null,
"name": "Self"
},
"keyProperties": {
"curve": null,
"exportable": false,
"keySize": 2048,
"keyType": "RSA",
"reuseKey": false
}
}
and it works as expected. So I suspect it is a bug, but maybe I did something wrong with .NET sdk.
Environment:
- Azure.Security.KeyVault.Certificates 4.0.2
- dotnet 3.1.102
- az cli 2.1.0
Issue Analytics
- State:
- Created 3 years ago
- Comments:12 (6 by maintainers)
Top Results From Across the Web
Azure Key Vault PFX import not showing correct certificate ...
I have problems with importing certificates into Azure Key Vault. I have created a cert/fullchain/privatekey using Letsencrypt certbot.
Read more >Unable to import key vault certificate to app service
When , I perform the import certificate operation in the TLS/SSL Settings , the access policy get automatically updated with the Azure App ......
Read more >Binding a certificate to an azure function app
1 Answer 1 · Within your key vault, go to Settings -> Access policies · Change the Permission model setting to use Vault...
Read more >Troubleshooting SSL
You may be encountering an issue where a Linux package installation thinks that the custom certificates have already been added. To resolve, delete...
Read more >Certificates with Azure Key Vault and Nginx Ingress Controller
In this article, we will take a look at getting a certificate from Azure Key Vault to Azure Kubernetes service. Next, we will...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Currently, the target environment is Azure Function and the process is triggered on demand, so I need the SDK. For an intermediate solution, I can use az cli, this is acceptable as far as I do not need to wait the fix for too long. I see the milestone is set to June, I think this is fine to me.
Thanks, I appreciate that.