Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] KeyVault certificate download fails using latest SDK

See original GitHub issue

Describe the bug I’m trying to download a PFX certificate, including the private key, from KeyVault using the new DownloadCertificateAsync method from the 4.2.0 version of the Azure.Security.KeyVault.Certificates package.

I’ve ensured the calling code has read access to both the certificate and the secrets in KeyVault. Unfortunately calling this method to obtain an X509Certificate2 fails with a WindowsCryptographicException.

I’ve done everything I can think of to confirm this isn’t an obvious error on my part, but since the API is new, maybe there are still some bugs or edge cases.

Expected behavior The file is downloaded as an X509Certificate, including the private key.

Actual behavior (include Exception or Stack Trace) An exception is thrown:

Result: Failure Exception: System.AggregateException: One or more errors occurred.
(The system cannot find the file specified.) ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: 
The system cannot find the file specified. at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at 
Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at 
System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan`1 data) at 
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at 
Azure.Security.KeyVault.Certificates.CertificateClient.DownloadCertificateAsync(String certificateName, String version, 
CancellationToken cancellationToken)

To Reproduce

Store a certificate with an exportable key in KeyVault
Configure permissions for GET for both certificates and secrets
Attempt to download the certificate with var certificate = await certificateClient.DownloadCertificateAsync("mycert");

Environment:

Azure.Security.KeyVault.Certificates 4.2.0
.NET 5.0
Azure Functions running in Azure on private App Service Plan.

Issue Analytics

State:
Created 2 years ago
Comments:10 (6 by maintainers)

Top GitHub Comments

1reaction

juna-guptacommented, Aug 7, 2021

@heaths I think X509KeyStorageFlags should be set to EphemeralKeySet | MachineKeySet in the SDK as these certificates are not persisted on disk.

Identity.Web library does that :

LoadFromKeyVault Setting default flags

0reactions

BrianVallelungacommented, Sep 15, 2021

@heaths Thanks for the update.

Top Results From Across the Web

Unable to download certificate from the azure key vault ...

Using CertificateClient, I want to download a certificate imported in Azure key vault "Certificates" section. Microsoft Azure Collective. c# ...

failed to download certificate from key vault using keyvault ...

failed to download certificate from key vault using keyvault vm extension on windows VM below is log on azure vm under folder.

Azure Key Vault Certificate client library for .NET

GetCertificate retrieves the latest version of a certificate stored in the Azure Key Vault along with its CertificatePolicy . C# Copy.

Release Notes - Key Vault

The release notes cover changes in this new release, how to download the Oracle Key Vault software and documentation, known issues, considerations, ...

azure-keyvault-certificates 4.7.0

get_certificate retrieves the latest version of a certificate previously stored in the Key Vault. from azure.identity import DefaultAzureCredential from azure.