I need to automate creating a keyvault and adding two certificates to the vault. I have one self-signed without a password and one wildcard cert signed from a valid authority.
When I try and import them the signed cert gets added fine but the self-signed returns an error...
Import-AzureKeyVaultCertificate : Pending Certificate not found: cluster-app-primary
At script.ps1:18 char:1
Import-AzureKeyVaultCertificate -VaultName $name -Name 'cluster-app...
+ CategoryInfo : CloseError: (:) [Import-AzureKeyVaultCertificate], KeyVaultErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.ImportAzureKeyVaultCertificate
The powershell code is as follows:
Import-AzureKeyVaultCertificate -VaultName $name -Name 'cluster-app-primary' -FilePath "..\..\Certificates\cluster-app-primary.pfx"
Now the exact same command with the other certificate works fine (with a password though).
Also note that if I try and import the self-signed certificate through the Azure portal it works fine.
Does anyone know what this error means and is there anything I can do to import this thru powershell?
Thanks.
I think this issue related to your self-signed cert, the command works fine on my side. Try to create a pfx certificate with a password like below, becasue when you import the certificate in the portal, it also asks for a password.
$certroopath = "C:\Users\Administrator\Desktop"
$certname = "mycert1"
$certpassword = "P#ssw0rd1234"
$cert = New-SelfSignedCertificate -DnsName "$certname" -CertStoreLocation cert:\CurrentUser\My
$pwd = ConvertTo-SecureString -String $certpassword -Force -AsPlainText
$certwithThumb = "cert:\CurrentUser\my\"+$cert.Thumbprint
$filepath = "$certroopath\$certname.pfx"
Export-PfxCertificate -cert $certwithThumb -FilePath $filepath -Password $pwd
Then import it to azure keyvault, it works fine.
$mypwd = ConvertTo-SecureString -String "P#ssw0rd1234" -Force -AsPlainText
Import-AzKeyVaultCertificate -VaultName joykeyvault -Name testc1 -FilePath C:\Users\Administrator\Desktop\mycert1.pfx -Password $mypwd
UPDATE
I could not get this to work so what I did was use the CertificateString parameter instead. I just took the string of the exact same certificate and it worked fine and imported it.
Import-AzKeyVaultCertificate -VaultName $name -Name $certName -CertificateString "MII..."
Related
I'm following an educative course, where i need to put the webhook in the Azure Key Vault.
When i run below on powershell
New-AzKeyVault -Name "dev-avm-kvz" -ResourceGroupName "shared-rg" -Location "westeurope"
Set-AzKeyVaultAccessPolicy -VaultName "dev-avm-kvz" -UserPrincipalName "sxndgmail.onmicrosoft.com" -PermissionsToSecrets get,set,delete
$secretvalue = ConvertTo-SecureString "https://8xe2c-bd3dc2a.webhook.we.azure-automation.net/webhooks?token=i%2bcs1ZY" -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName "dev-avm-kvz" -Name "db-new-vm-webhook" -SecretValue $secretvalue
The first line succeeds with a new vault created.
But the Set-AzKeyVaultAccessPolicy errors out as below -
here's the educative instructions im referring to ->
From their commands, i have changed principal name, vault name a little and my webhook URI
I have reproduced in my environment, and I got expected results as below and I followed Microsoft-Document:
Firstly, I have created a key Vault using the below PowerShell commands:
$ResourceGroupName ="XX"
$Location="North Europe"
$KeyVaultName="siliconvault"
New-AzKeyVault -Name $KeyVaultName -ResourceGroupName $ResourceGroupName `
-Location $Location -SoftDeleteRetentionInDays 7
Then, I have assigned access policy to the UPN and followed Microsoft-Document:
Set-AzKeyVaultAccessPolicy -VaultName siliconvault -UserPrincipalName 'XXk_outesaioutlook.onmicrosoft.com `
-PermissionsToSecrets Get,Set,List
You can find the UPN of the user by visiting > Azure Active Directory in your Azure Portal > Left Pane > Users > Click on the desired User and Copy the UPN.
Then i have used below commands to add secrets of web uri:
$SecretVault=ConvertTo-SecureString "https://a.webhook.we.azure-automation.net/webhooks?token=i%2" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName siliconvault -Name "webhookuri" -SecretValue $SecretVault
Outputs:
Access Policy is assigned to the UPN successfully as below:
Then you can see the secret is added as below:
Inside the secret your secret value is stored.
I need help on this scenario. we have a cert in azure key vault which needs to be download to a windows VM for our .net application to run on iis. I am able to upload the cert to Azure keyvault with out issues. I am running a azure devops powershell tasks inline powershell script.
it will connect to azure using conenct-azaccount with appropriate login creds.enter code here
we run invoke-azvmssruncommand and specific the script path and variable which needs to be passed as parameters.
in the PowerShell script we have script to get the cert from azure keyvualt once its connected to azure vm
below is the error
error: an error occurred while sending request. need your thoughts on it.
Invoke-AzVmssVMRunCommand -VMScaleSetName dev-CTUS -ResourceGroupName RG -InstanceId $instanceid -CommandId 'RunPowerShellScript'-ScriptPath "path"\downloadcertfromkeyvault.ps1" -Parameter #{"vaultname"= "keyvault name";"certname"="app-DEV";"password"= "jdksjkdjalksd";"said"="";"sapuserid"; password"="password";"devSubscriptionId"="ZXXXXXXXXXX"} -Debug
this is the command which i used in azure devops powershell inline script .
inside powershell script
$SecurePassword = "$sapassword" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $said, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant "XXXXXXXXXXXX-a68c-41e5-XXXXXXXX"
Write-log "setting subscription to retrive certs"
Set-AzContext $devSubscriptionId
$password = "$password"
$password = ConvertTo-SecureString -String "$password" -AsPlainText -Force
$cert = Get-AzKeyVaultCertificate -VaultName $vaultname -Name $certname
$secret = Get-AzKeyVaultSecret -VaultName $vaultname -Name $cert.Name
$pfxpath = [System.Environment]::GetFolderPath("Desktop")
$secretByte = [Convert]::FromBase64String($secret.SecretValueText)
$x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($secretByte, "", "Exportable,PersistKeySet")
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx
$pfxFileByte = $x509Cert.Export($type, $password)
# Write to a file
[System.IO.File]::WriteAllBytes("$pfxpath\$certname.pfx", $pfxFileByte)
$certificate= Get-ChildItem -path cert:\LocalMachine\My` `
Write-Log $certificate
With the following command I am able to generate self-signed certificate at PowerShell prompt:
$mycert = New-SelfSignedCertificate -DnsName "myhost.westeurope.cloudapp.azure.com" -CertStoreLocation "cert:\LocalMachine\My"
Then I can export it to a PFX file:
$mypwd = ConvertTo-SecureString -String "1234" -Force –AsPlainText
Export-PfxCertificate -FilePath .\mycert.pfx -Password $mypwd -Cert $mycert
Finally, I can import the certificate into Azure Keyvault:
$kvcert = Import-AzKeyVaultCertificate -VaultName mykeyvault -Name mycert -FilePath .\mycert.pfx -Password $mypwd
The above commands work well for me and I can call Import-AzKeyVaultCertificate repeatedly without any errors. Which is important for me, because I want to call the command from an Azure pipeline as a build for pull requests in our team.
My question is -
I don't want to commit the PFX file into our Git repo.
Instead I want to inline the base64 content of it in a PowerShell script, just to have 1 less file in the repo and not having to figure out URL and SAS token for the pipeline.
I am able to base64 format the PFX file content with the follwoing commands at the PowerShell:
$Bytes = [System.IO.File]::ReadAllBytes("c:\tmp\mycert.pfx");
$Base64 = [System.Convert]::ToBase64String($Bytes);
And now I could copy-paste it into my PowerShell script with $Base64 = "D3AB.....ICB9A==";
But how to pass it to the Import-AzKeyVaultCertificate command in my script?
Is there some trick like echo $Base64 | Import-AzKeyVaultCertificate -FilePath - like in Linux for STDIN?
I'm following How to add a certificate to an Azure RM website with Powershell and trying to add a certificate with the following Powershell
New-AzureRmWebAppSSLBinding -ResourceGroupName MyResource -WebAppName mysite -Name www.contoso.com -CertificateFilePath "C:\Secure\mycert.pfx" -CertificatePassword plaintextPassword
But it's returning with
New-AzureRmWebAppSSLBinding : The specified network password is not correct.
However, if I use the Azure portal I can add the certificate successfully from the pfx file, so the password is definitely correct.
New-AzureRmWebAppSSLBinding : The specified network password is not correct.
As far as I know, the certificate will be added via REST when we execute New-AzureRmWebAppSSLBinding cmdlet. And I could see this request details if I specify -Debug parameter for New-AzureRmWebAppSSLBinding cmdlet.
And if I provide an incorrect value for -CertificatePassword, It returns the same error.
So please check the CertificatePassword again to make sure you provide the same value (the value of Certificate password input on Azure portal) for New-AzureRmWebAppSSLBinding cmdlet.
I know this is dated. However for anyone else that runs into the issue try the following.
-CertificatePassword "PlainTextPassword"
Don't forget to add the quotes.
To take it a step further, for the sake of security, you can pass in your certificate password via keyvault.
$vaultname = "keyvault"
$secrectname = "keyvaultsecret"
$resourcegroup = "resourcegroupname"
$webappname = "webappname"
$hostname = "example.com"
$secretsecurestring = Get-AzureKeyVaultSecret -
VaultName $vaultname -Name $secretname
$pfxpass = $secretsecurestring.SecretValueText
New-AzureRmWebAppSSLBinding -ResourceGroupName
$resourcegroup -WebAppName $webappname -
CertificateFilePath C:\Certificate.pfx -
CertificatePassword $pfxpass -Name $hostname
I am trying to crete a "secret value" using Azure Key Vault. I am following a tutorial from Microsoft located here ... https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/
I was able to create a Key Vault using ...
New-AzureRmKeyVault -VaultName 'MyKeyVaultName' -ResourceGroupName 'MyResourceGroup' -Location 'West US'
I can also verify it was created by using ...
Get-AzureRmKeyVault
I am able to create the secret value by using the following ...
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
However when I try to set the key ...
$secret = Set-AzureKeyVaultSecret -VaultName 'MyKeyVaultName' -Name 'SQLPassword' -SecretValue $secretvalue
I get an error that says
Set-AzureKeyVaultSecret : Operation "set" is not allowed
I thought that I had gained all access to the Key Vault by creating it? Do I need to add specific permissions?
Here is a screen capture of the error from powershell
Likely a permissions issue. Try the following:
Set-AzureRmKeyVaultAccessPolicy –VaultName ‘{your vault name}’ –UserPrincipalName ‘{your account email}’ –PermissionsToKeys all –PermissionsToSecrets all
The problem you are having is that you are not creating a key to attach a secret to, You need to call Add-AzureKeyVaultKey to create that key. Like this...
$vault = Get-AzureRmKeyVault
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' `
-AsPlainText -Force
$key = Add-AzureKeyVaultKey -VaultName $vault.VaultName `
-Name Test01 `
-Destination Software
(Get-AzureKeyVaultSecret -VaultName $vault.VaultName `
-Name test01).SecretValueText
which returns
Pa$$w0rd