7

For our point to site VPN, we want to create a root certificate. So we can create as many client certificates as we want for all the partners that have the need to login in our VPN. (Azure virtual network)

Doing this manually works perfect. We generate a certificate (self signed) that acts as root ca. We are able to do this in powershell like this:

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Kratos Point To Site VPN Root Certificate Win10" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

$clientCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Digicreate Point To Site VPN Client Certificate Win10" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

However, we prefer to use the key vault for our certificate management. The idea is to create a certificate directly in the key vault by using this command: Add-AzureKeyVaultCertificate (with the private key not exportable)

Creating the root certificate works perfectly. But I am not able to find how I can sign a new certificate with the 'sign' operations in the key vault.

Do you have a sample on how to this?

Identity
  • 1,553
  • 1
  • 22
  • 44

2 Answers2

0

but I would like to create a client certificate based on this root certificate with azure key vault cmdlets. Is this possible?

Do you mean you want to download the certificate? if yes, we can use this script to download it:

download Private certificate to your D:\cert:

$kvSecret = Get-AzureKeyVaultSecret -VaultName 'jasontest2' -Name 'TestCert01'
$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, 'test')
$pfxPath = 'D:\cert\test.pfx'
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

Download public certificate to your D:\cert:

$cert = Get-AzureKeyVaultCertificate -VaultName 'jasontest2' -Name 'TestCert01'
$filePath ='D:\cert\TestCertificate.cer'
$certBytes = $cert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($filePath, $certBytes)

Update:

The $certificateOperation.CertificateSigningRequest is the base4 encoded certificate signing request for the certificate.

Import-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -FilePath C:\test\OutputCertificateFile.cer

More information please refer to this blog.

Update:
We should sign the CertificateSignRequest with the sign operation with your CA server.

Enterprise certificate:
If you are using an enterprise certificate solution, generate a client certificate with the common name value format 'name@yourdomain.com', rather than the 'domain name\username' format. Make sure the client certificate is based on the 'User' certificate template that has 'Client Authentication' as the first item in the use list, rather than Smart Card Logon, etc. You can check the certificate by double-clicking the client certificate and viewing Details > Enhanced Key Usage.

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • 2
    I want to sign a newly created certificate with a custom root CA. I do not want to expose the private key of the CA outside to key vault. The idea is to sign the CertificateSignRequest with the sign operation in the key vault, using the private key of the root CA. However, I can not find any examples on how to this in powershell.... – Identity Aug 08 '17 at 10:06
  • @Identity I have update my answer, please check it:) – Jason Ye Aug 09 '17 at 07:06
  • 2
    Do you have a sample on how to sign this CSR and update the client certificate to get it working? I have a Root CA for our Point to Site VPN. To create a client certificate, I need to sign the CSR with the sign operation in the key vault of the root CA. I am able to create my Root CA, but I can't find a sample on how to correctly sign this client certificate... – Identity Aug 09 '17 at 07:26
  • @Identity According to your description, I think, we can't create client certificate, because `key vault works like a storage to store certificates`, we can't sign the CertificateSignRequest with the sign operation in the key vault. – Jason Ye Aug 09 '17 at 09:08
  • @Identity Based on my knowledge, we should sign the CertificateSignRequest with the sign operation with your CA server. Please let me know if you would like further assistance:) – Jason Ye Aug 10 '17 at 02:15
  • 1
    I think so too, however, I can not find a sample on how to correctly sign a CSR with a self signed root ca... (I noticed that my question was not so clear, so I tried to explain it better in my initial post...) – Identity Aug 10 '17 at 13:05
  • @Identity Maybe we can copy the Certificate to other clients and install them, so we can use the certificate to connect your VPN. – Jason Ye Aug 11 '17 at 08:35
0

Refer to the "Create a certificate manually and get signed by a CA" section in https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/

Rohit Manohar
  • 161
  • 3