2

I am trying to generate X509 certificates in C# code (using the X509Certificate2 class) and upload them to an Azure Key Vault.

I have found out that if my certificate contains the flag X509KeyUsageFlags.KeyEncipherment, the vault will reject the certificate with this error message:

Unsupported key operation(s): "wrapKey", "unwrapKey". Supported values are "sign", "verify".

Does anyone know what to do about this? Of course I can remove that flag from my generated certificates, but I want to understand why Azure rejects it. Is it possible at all to upload certificates to an Azure Key Vault when they contain this flag?

I ahae read this documentation page, but it did not tell me much: https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details

(This is a more specific follow-up to my earlier question here.)

Claus Appel
  • 1,015
  • 10
  • 28

1 Answers1

0

• You are encountering this issue because the key along with this x509 .pem certificate is not in correct format and not combined with the certificate. That is, the certificate type that you are importing should not have its information contained in it in base64-encoded byte form. It should be in its raw form.

Thus, the error signifies that the certificate key you are trying to import is to be used to sign and verify the application content and the application using this certificate will hash the data locally using the certificate’s keys. Thus, the certificate key should not itself be in other unacceptable form. Also, the key generation algorithm may not be supported as stated from the error that you are encountering.

• Hence, if you are importing a certificate in PEM(whether that be X509 certificate) format, then "contentType" should be "application/x-pem-file" type. The value parameter will just be the raw text contents of your PEM file and need not to be in base64-encoded-byte, because PEM certificate is already in a text format, so base64-encoding is not required. Thus, the private key of the certificate should be in the same format as the certificate contents encryption algorithm. It need not be masked or converted in another format and it should be combined with the certificate itself.

Please refer to the links below for more information: -

https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios#formats-of-import-we-support

https://learn.microsoft.com/en-us/answers/questions/258583/import-certificate-api-for-azure-key-vault.html

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • 1
    Thanks for the answer. But my file is not a PEM. It is a PFX. Moreover, the error goes away if I remove the flag `KeyEncipherment`. It seems unlikely that what you describe is the problem. – Claus Appel Jan 27 '22 at 14:37
  • I have not described the problem. I have discussed the cause of the problem and the most probable situation behind the 'unwrap, wrap' key method. Because, this is mostly the only reason why you are encountering this error while importing a certificate in keyvault. – Kartik Bhiwapurkar Jan 29 '22 at 05:34
  • 1
    Thanks, but unfortunately your answer didn't help me. – Claus Appel Feb 03 '22 at 10:15