7

I have successfully imported an digital signature certificate (which comes with a root certificate and a chain certificate) in my Azure KeyVault using the command "mport-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -FilePath". The certificate has been issued to me by a public Certificate Authority.

I tried to run the exact same command to import the root certificate and the chain certificate, but I am unable to.

My question is: is there a way at all too import the root and the intermediate certificates into the KeyVault? Or they need to be imported somewhere else?

Thanks

Chrismaf
  • 73
  • 1
  • 4

2 Answers2

2

There are two basic scenarios:

  1. Import issued certificate (in PEM or PFX format) - see Tutorial: Import a certificate in Azure Key Vault
  2. Create a CSR (certificate request) using Azure KeyVault, send it to the issuer and merge received certificate - see Create and merge a CSR in Key Vault

Both of them allow certificate chain to be added to the keyvault (together with certificate) and later to be downloaded and extracted. Please note, that it's not possible to open/download chain certificates separately from the keyvault. Instead the certificate should be downloaded and certificates extracted from the file.

For import operation it's quite straightforward: both Azure Portal and Az CLI do support PFX and PEM files, containing private key, new certificate created by the issuer and CA certificates.

But there are small nuances about merging.
The certificate content type can be set to either PKCS12 or PEM upon creation in Azure KeyVault. As result merged certificate is exported/downloaded

  • using PFX format for certificate created with PKCS12 content type
  • using PEM format for certificate created with PEM content type

The format of the chain container for merge operation, however, does not depend on that content type. It only depends on the method that is used to perform the merge:

The following command can be used to create a P7B file containing the chain:

openssl crl2pkcs7 -nocrl -certfile test.crt -out test.p7b -certfile inter.crt -certfile ca.crt

Extracting the chain from imported certificate:
When certificate is imported to Azure keyvault, the same format is used to export/download that certificate.

Extracting the chain from merged certificate:
Certificate should be downloaded from Azure keyvault (PFX or PEM depending on certificate content type). When certificate that was merged together with the chain is downloaded in PEM, it contains the whole chain already in a format that allows to extract individual certificates easily.
When certificate is downloaded in PFX, to extract individual certificates the following command can be used to convert it to PEM format, containing only certificates (omitting the private key):

openssl pkcs12 -in downloaded-cert.pfx -nokeys -nodes -out chain.pem

Then chain.pem can be opened with text editor and individual certificates can be extracted to separate crt files.

Ivan Samygin
  • 4,210
  • 1
  • 20
  • 33
1

Concatenate your certificate, the CA bundle file and the private key file into a .pem file in the order:

cat <cert>.crt <bundle>.cabundle <private>.key > <full-cert>.pem

Use the Azure CLI 2.0 az tool to import into the key vault using:

az keyvault certificate import --vault-name <your-vault> --name <cert-name> --file <cert-file>.pem

You should find that the az tool creates three entries in your vault all with the name <cert-name> (i) a certificate containing the <cert>.crt file, (ii) the private key and (iii) a secret containing the full root + chain + private key which you can later download if needed.

jlyonsmith
  • 873
  • 11
  • 15
  • For me az cli did not work with plain text .pem files. I had to convert to .pfx first to get it imported https://github.com/MicrosoftDocs/azure-docs/issues/23558#issuecomment-460485031 – geekQ Mar 12 '22 at 10:47