0

I have been following this sample from AWS. I have followed the guide, downloaded the certificates, converted them into .pfx and tested them in a local code similar to the sample. The code works fine and the intended connection can be established. However, when I try to upload the certificate to Azure Key Vault, I get this error:

The specified X.509 certificate content is invalid. Error: one or more x.509 properties are invalid.

I have Googled and tested quite a few different openssl commands, and also tried to upload through PowerShell (just incase), but its always the same error. I am a bit clueless as to why this (as far as I know) official AWS example does not just work, and why I can not just export certificates from one big cloud company to another.

Does anyone have any guesses as to what is going wrong and what properties may be invalid, or how I can find out?

PS: My Azure code is getting all configurations from the Key Vault secrets (connection strings, etc). I figured it could similarly be used to store certificates that my code can retrieve and use, instead of storing the certificate file in the project. Do let me know if I have misunderstood what kind of certificates should be saved in the Key Vault.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
mathkid91
  • 659
  • 2
  • 10
  • 27

1 Answers1

0

Please check if following can be worked around:

  1. Please note that Key Vault requires /accepts only a PEM or PFX file along with a private key.
  2. If you have a private key stored separately in a different format, you need to combine the key with the certificate and key should not be encrypted. Some certificate authorities (CAs) provide certificates in other formats. Therefore, before you import the certificate, make sure that it's in either PEM or PFX file format and it uses key either (RSA) or elliptic-curve cryptography (ECC) encryption. see creating a certificate with a ca not partnered with key-vault

Some factors to check:

  1. Please check if the Pfx was expired or Pfx password is incorrect or has an invalid format.

  2. Try Re-importing the cert from a pfx file with the --password parameter if it is password protected.

  3. Also make sure you have access policies created create,get ,set,delete ,list for user that is trying to create and also for the application.

  4. And the name of the secret or certificate that you are uploading must be unique and should not match with any other secret that was created previously. Content-type must be application/x-pkcs12 for pfx file.

Also check the similar case from SO reference

References:

  1. Understand X.509 public key certificates | Microsoft Docs /About Azure Key Vault Certificates
  2. "The parameter KeyVault Certificate has an invalid value"- Microsoft Q&A
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • Thanks for your feedback. I am gonna go through everything next week when I am back at work. I think the "CA not partnered with key-vault" part is the only thing I haven't tried yet, so I will check that out. I will give everything a new go, but I believe we have tried the rest. – mathkid91 Aug 07 '22 at 11:56