Azure keyvault get certificate using java

Question

I uploaded a certificate to the Azure KeyVault in pfx format, with a password and I want to use it in my java application. Here is how I download the certificate:

    CertificateClient certificateClient = new CertificateClientBuilder()
            .vaultUrl("<kv-url>")
            .credential(new DefaultAzureCredentialBuilder()
                    .authorityHost("https://login.microsoftonline.com/")
                    .build())
            .buildClient();
    KeyVaultCertificateWithPolicy certificate = certificateClient
            .getCertificate("<cert-name>");.

I want to convert my certificate back to pfx, but it downloads only in CER format. In the portal there are two possibilities:

If I download in CER format then I get back the exact string if I would do the following in java:

    String s = DatatypeConverter.printBase64Binary(certificate.getCer());
    System.out.println(s); // this gives me back the same as download CER

but... I need the pfx format, which is available in the portal but I don't see any options in java.

I also tried to convert the downloaded CER to PFX like this:

    Base64.Decoder decoder = Base64.getDecoder();
    byte[] decode = decoder.decode(s);

    InputStream inputStream = new ByteArrayInputStream(decode);

    try {
        KeyStore keyStore = KeyStore.getInstance("pkcs12");
        keyStore.load(inputStream,"<password>".toCharArray());

    } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }

but then I get the following exception:

Exception in thread "main" java.lang.RuntimeException: java.io.IOException: DER input, Integer tag error
    at main.Application.main(Application.java:57)
Caused by: java.io.IOException: DER input, Integer tag error
    at sun.security.util.DerInputStream.getInteger(DerInputStream.java:195)
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1948)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at main.Application.main(Application.java:54)

Can you please help me either a way to download directly in pfx format from the KeyVault or to convert the CER to PFX?

score 0 · Answer 1 · answered Mar 25 '23 at 15:43

0

The PEM/PFX is stored as a secret using the same name and version as the certificate. When you download the data, the PFX will have a blank password.

answered Mar 25 '23 at 15:43

Esta Nagy

219
2
9

This might help: https://github.com/nagyesta/lowkey-vault/blob/main/lowkey-vault-docker/src/test/java/com/github/nagyesta/lowkeyvault/steps/CertificateStepDefAssertion.java#L53-L69 – Esta Nagy Mar 25 '23 at 15:46
I know I can store the certificate as a secret in pfx format since there only a string is uploaded but I want to used Azure's Certificate functionality, that means this does not solve my problem. – Sunflame Mar 27 '23 at 08:42
I did not mean to mention it as an alternative, this is what is already happening in the background when you are using the certificate API. Every certificate has a managed (hidden) key and secret backing it. When the certificate is created, the secret and the key are generated automatically. When you are downloading the PFX on the UI, it is simply downloading the secret value. Please see the documentation here: https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios#certificates-are-complex-objects – Esta Nagy Mar 27 '23 at 15:37

Azure keyvault get certificate using java

1 Answers1