Why Have Certificates with non-Exportable Keys in Azure Key Vault?

Question

I feel like I must be missing something obvious or I'm being very dense. If I generate a self-signed certificate with Key Vault, or import a PFX with a private key, but do not mark the private key as exportable, as far as I can tell there is literally nothing I can do with that certificate from an API standpoint. Perhaps I can use it with a Gateway to terminate SSL or something, but I can't find any way to decrypt or sign data with them, or do anything useful with them the way I can with Keys. At least Keys marked as non-exportable still have decrypt and sign APIs. Certificates in Key Vault without an exportable key seem like bricks. Is there anything useful that can be done with these certificates?

If you download the secret that is generated with the same name and version as the certificate, you can get the private key as well. It should be in the PFX you can download. It will have an empty password though (so not the original you have used during import). — Esta Nagy, Feb 27 '23 at 05:57
@EstaNagy OMG, "the secret that is generated with the same name and version", that was what I was missing. Actually I need the "Addressable Key" but you led me to find that. I knew it was obvious. Thank you. Please make that an answer so I can accept. — Emperor Eto, Feb 27 '23 at 12:22

score 1 · Answer 1 · answered Feb 27 '23 at 08:03

The only useful thing you can do with the public key is to verify tokens or data that you have received. The alternative it to send data to AKV and have it signed/encrypt in for you. You can also use the public key to sign data, but then the receiver must have the public key to verify the signature.

It sure is annoying that you can't get both from when you download it as a certificate.

score 1 · Accepted Answer · answered Feb 27 '23 at 17:02

1

If you download the secret that is generated with the same name and version as the certificate, you can get the private key as well. It should be in the PFX you can download. It will have an empty password though (so not the original you have used during import).

answered Feb 27 '23 at 17:02

Esta Nagy

219
2
9

Yep, thank you. Just to clarify I believe if it's marked as non-exportable you can't actually get the private key but you CAN use `decrypt` and `sign` methods agianst the correspondingly named *Key* in the KV. What I was missing was the whole idea of a backing key/secret. – Emperor Eto Feb 27 '23 at 17:33

Why Have Certificates with non-Exportable Keys in Azure Key Vault?

2 Answers2