2

I'm looking for a way to install a PFX certificate into my azure scaleset and mark the private key as exportable.

Currently the certificate is installed on the cluster via the ARM template:

{   
    "certificateUrl": "https://xxx.vault.azure.net/secrets/xxx/111111",
    "certificateStore": "My"
}

But the private key, which I need for local decryption, is not exportable. I'm using bouncy castle to read create a AsymmetricCipherKeyPair: DotNetUtilities.GetRsaKeyPair(privateKey) (Which now throws a exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: at System.Security.Cryptography.CngKey.Export (System.Security.Cryptography.Cng, Version=4.3.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a)

I read here that it should be defined in the policy that the key is exportable. But it is not possible to change the policy once the key is uploaded into the keyvault, but it is also not possible to set it up when you import the certificate.

micahmckittrick
  • 1,476
  • 8
  • 11
Thieme
  • 294
  • 1
  • 13

1 Answers1

0

Which type of key you are using?

Please note that exportable is only allowed with RSA, not supported by RSA HSM.

The policy should indicate that the key is exportable when you create the certificate.

If you generate the certificate with Azure key vault, you can configured the policy during the creation.

enter image description here

If you import the existing certificate to key vault, you need to specify the policy that the key is exportable when you create the certificate.

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • Thanks! I'm using RSA, and I'm importing a certificate that is created by a CA, If I import the certificate manually on the server, I can mark the private as exportable. But I cannot find a way to do that through the key vault. – Thieme Oct 11 '19 at 07:35