3

I've a certificate (pfx) in my Azure KeyVault - I use that certificate as a secret (deployed via Azure DevOps using Helm). The problem I've encountered is that the certificate is somehow incorrectly read from KeyVault (I use Variable Group) - the result is that when my application starts, I get an exception that looks like: 

error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure

However, when I manually create a secret (by using powershell to read certificate content as base64) everything works correctly. What am I doing incorrectly ?

macpak
  • 1,190
  • 1
  • 14
  • 28

2 Answers2

1

Currently, Azure Pipelines variable group integration supports mapping only secrets from the Azure key vault. Cryptographic keys and certificates are not supported. See here.

As workaround, you can use Azure Key Vault task in your azure devops pipeline.

Use this task to download secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords from an Azure Key Vault instance.

If the value fetched from the vault is a certificate (for example, a PFX file), the task variable will contain the contents of the PFX in string format.

- task: AzureKeyVault@1
  inputs:
    azureSubscription: 
    keyVaultName: 
    secretsFilter: '*'

Before using this task. You should ensure the service principal you used in the Azure service connection has at least Get and List permissions on the vault.

This tutorial Using secrets from Azure Key Vault in a pipeline might also be helpful.

Community
  • 1
  • 1
Levi Lu-MSFT
  • 27,483
  • 2
  • 31
  • 43
  • Hmm, interesting. I was actually able to fetch the certificate via a variable group, the only problem I've is that the content seems to be maloformed. – macpak Jun 09 '20 at 14:16
  • Hi @macpak Did you have a try with task AzureKeyVault? how did it go? – Levi Lu-MSFT Jun 15 '20 at 10:07
  • I've changed an approach a little bit - instead of keeping a certificate as certificate in kv, I put it as a secret and now everything works perfectly – macpak Jun 15 '20 at 10:57
0

I am no Kubernetes expert, but here goes :)

The error indicates the MAC (Message Authentication Code) is wrong, which means you might not have the correct password for the PFX file. What I would do is take the PFX file and see if you can decrypt it with openssl:

openssl pkcs12 -in certfile.pfx -out certfile.pem

you will be prompted for a pwd, if it doesn't work, then you do have the wrong pwd.

I hope that helps. let me know if you need more help.

MichaelHoward-MSFT
  • 269
  • 1
  • 6
  • as I mentioned, the pwd seems to be correct, because when I upload a certificate (as a k8s secret) manually (without changing the password secret), everything works – macpak Jun 09 '20 at 05:58
  • no, but it's very weird. I upload a cert to Azure KeyVault (I need to provide a password). Then I download the same cert, try openssl, provide exactly the same pwd, and get: Mac verify error: invalid password? – macpak Jun 09 '20 at 14:03
  • When you download certificates from Azure KeyVault, they have a blank password. – Erik A. Brandstadmoen Feb 15 '21 at 09:06