Alternative to Import-AzWebAppKeyVaultCertificate in Azure Rm - azure

Planning to import an SSL certificate to a web app from Key Vault.
Found that Import-AzWebAppKeyVaultCertificate in Az.websites which performs the above task but the above fails in the azure pipeline and I'm looking into any alternative in AzureRm As for my research I can't find anything in documents.
Az docs - https://learn.microsoft.com/en-us/powershell/module/az.websites/import-azwebappkeyvaultcertificate?view=azps-6.0.0&viewFallbackFrom=azps-4.8.0
I want to know anything specific command to import ssl certificate to a web app from keyvault using AzureRm commands

Did you try with Azure CLI command ?
az login
# upload certificate to Azure key vault
az keyvault certificate import --file "E:\Cert\P2SChildCert.pfx" --password "" --name "test1234" --vault-name "testkey08"
# download certificate as pfx file
az keyvault secret download --file "test2.pfx" --vault-name "testkey08" --name "test1234" --encoding base64
# upload the pfx file to Azue web app
az webapp config ssl upload --certificate-file "test2.pfx" --name "andywebsite" --resource-group "andywebbot" --certificate-password "" --query thumbprint --output tsv

You could use Invoke-RestMethod to call the REST API Certificates - Create Or Update manually.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/certificates/{name}?api-version=2019-08-01
To get the access token, refer to https://learn.microsoft.com/en-us/rest/api/azure/#client-credentials-grant-non-interactive-clients

Related

Get Password using CLI from Azure Key Vault

I stored password in azure key vault account and i want that to be get from cli so that I can copy them any time when ever needed
much appreciated for help!
Here is the command for displaying password through CLI
az keyvault secret show \
--name <Your Secret Name> \
--vault-name <Your Key Vault Name> \
--query value \
--output tsv
I have tested in my local environment, and it worked for me

How can i check if the ssl binding on a web ap has expired or is soon going to expire in Azure?

Im using
az webapp config ssl list --resource-group "$resourcegroup" | ConvertFrom-Json
but this gives back all certificates.
The issue is that under the bindings in Azure for the web app it had an expired certificate.
Can i check the actual bindings and if they are soon going to expire using powershell and the az cmdlets ?
You can filter it in powershell:
Expired:
az webapp config ssl list --resource-group "$resourcegroup" | ConvertFrom-Json | Where-Object {$_.expirationDate -lt (Get-Date)}

az acr login with subject name and issuer authentication error

I'm trying to authenticate to Azure container registry with the cli.
I'm using subject name and issuer authentication, and authenticating to azure with service principal.
that's what I do to login to azure
az login --service-principal --use-cert-sn-issuer -u {app id} -p {certificate .pem file} --tenant {tenant id}
it works, and then I try to login to the acr with:
az acr login --name {acr name}
it fails with:
The command failed with an unexpected error. Here is the traceback:
Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: {Thumbprint}, Please visit 'https://developer.microsoft.com/en-us/graph/graph-explorer' and query for 'https://graph.microsoft.com/beta/applications/{app id}' to see configured keys]\r\nTrace ID: 4546d682-75b6-4a8b-9c03-11f4821c5f00\r\nCorrelation ID: 02e4c324-25a9-47ff-a5ba-afdeec0ce5ec\r\nTimestamp: 2020-06-23 08:12:00Z","error_codes":[700027],"timestamp":"2020-06-23 08:12:00Z","trace_id":"4546d682-75b6-4a8b-9c03-11f4821c5f00","correlation_id":"02e4c324-25a9-47ff-a5ba-afdeec0ce5ec","error_uri":"https://login.microsoftonline.com/error?code=700027"}
what could be the problem?
The error shows that your certificate is not very correct. Here is the same issue in Github and you can follow the steps to solve it.
Or you can create the service principal using certificate-based authentication with the CLI command:
az ad sp create-for-rbac --name ServicePrincipalName --create-cert
and then it will work fine for you. Here are the steps with more details. And take care of the caution:
When using a PEM file, the CERTIFICATE must be appended to the PRIVATE
KEY within the file.

Binding SSL certificate to App service using Azure CLI and Keyvault

I'm trying to use Azure CLI to configure an Azure app service SSL certificates that are stored in an Azure KeyVault. I'm new to Azure CLI and am having trouble finding a complete set of sample code that does this. I've found documentation / examples of the individual commands, but am having trouble chaining them together. Definitely would appreciate some assitance/guidance as I feel like this is a common scenario.
At first, I thought this was would be a simple 'linking' type command. Certs are already uploaded in keyvault, so Azure App Service, go get 'em, here's the $pfxPassword.
It doesn't look like that is possible. I found some documentation that it looks like you need to download the Cert from the keyvault and then upload it.
It took me a little bit to realize that you don't use az keyvault certificate for this... you need to use az secret download.
I then found some other commands on how to upload the cert, get the thumbprint, and bind the cert to the app Service.
I chained these three commands together, but am not able to get it to work.
#download the cert
az keyvault secret download --file $fileName --vault-name $vaultName --name $certName;
#upload the cert and get the thumbprint
$thumbprint=az webapp config ssl upload --certificate-file $fileName --certificate-password $pfxPassword --name $site_name --resource-group $ResourceGroupName --query thumbprint --output tsv
#bind the uploaded cert to the app service.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI --name $site_name --resource-group $ResourceGroupName
I can confirm the first command is downloading the cert. (After a while I was able to figure things out import into my win10 development machine -- even though the certs were uploaded into keyvault with a password, downloading them stripped the password out.).
Unfortunately, it looks like the second command (upload and get the thumbprint) REQUIRES a password.
What is the 'correct' way to do this?
Thanks for your guidance/advice.
According to my test, when we use the Azure CLI to download the certificate as pfx file from Azure key vault, it has a blank password. So when we use CLI to upload the pfx file to Azure web app, we can use the following command
az webapp config ssl upload --certificate-file "<pfx file name>" --name "<web name>" --resource-group "<group name>" --certificate-password "" --query thumbprint --output tsv
az login
# upload certificate to Azure key vault
az keyvault certificate import --file "E:\Cert\P2SChildCert.pfx" --password "" --name "test1234" --vault-name "testkey08"
# download certificate as pfx file
az keyvault secret download --file "test2.pfx" --vault-name "testkey08" --name "test1234" --encoding base64
# upload the pfx file to Azue web app
az webapp config ssl upload --certificate-file "test2.pfx" --name "andywebsite" --resource-group "andywebbot" --certificate-password "" --query thumbprint --output tsv
Besides, if your certificate has been stored in Azure key vault, we can directly import it to Azure web app via Azure Portal.

Add SSL Cert to an existing VM linux vm from Azure key vault

How you add SSL Cert to an existing azure Linux VM from Azure Key vault. for windows we use the following command
$vaultId=(Get-AzureRmKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "My" -CertificateUrl $certURL
Is there a similar one like this for linux vm? Is there a link similar to this for linux Secure IIS web server with SSL certificates on a Windows virtual machine in Azure
You could use Azure Cli to do this. Using following command.
secret=$(az keyvault secret list-versions \
--vault-name $keyvault_name \
--name mycert \
--query "[?attributes.enabled].id" --output tsv)
vm_secret=$(az vm format-secret --secret "$secret")
az vm update -n shui -g shuikeyvault --set osProfile.secrets="$vm_secret"
Then the certificate stores on /var/lib/waagent, you could use Azure Custom Script to use it.
Note: You should use "$vm_secret", I test in my lab, only $vm_secret does not work for me.
ssh-copy-id -i ~/.ssh/id_rsa.pub aht#myserver. But if you have rights to the VM but not the original key, you want to use azure vm reset-access to do so. It is in fact documented as a standalone ability:
help: -M, --ssh-key-file path to public key PEM file or SSH Public key file for SSH authentication (valid only when os-type is "Linux")
of course, it doesn't say what ELSE should happen here in order to ADD the key I provide to the currently running VM I'm targeting. But the result needs to be that if I specify a user that already exists, and there's a key already there, this one needs to be added to the directory.
You'll note that in Azure/azure-linux-extensions#295, https://github.com/Azure/azure-linux-extensions/issues/295 believes that using azure vm set-extensions ,then reset-access is broken.
Update a Key Vault for use with VMs
Set the deployment policy on an existing key vault with az keyvault update. The following updates the key vault named myKeyVault in the myResourceGroup resource group:
Azure CLI
Copy
az keyvault update -n myKeyVault -g myResourceGroup --set properties.enabledForDeployment=true

Resources