I imported the following certificate into Azure keyvault
-----BEGIN CERTIFICATE-----
MIICbDCCAhKgAwIBAgIGAXQ5qjdkMAoGCCqGSM49BAMCMDUxMzAxBgNVBAMTKmNh
LmhsZjA2MThvcmRlcmVyLm1pY3Jvc29mdC5ibG9ja2NoYWluLmNvbTAeFw0yMDA4
MjkxMDAxMzBaFw0yMTA4MjkxMDAxMzBaMIGDMVIwUAYDVQQDDEk3MmY5ODhiZi04
NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcuMjRkN2IwNmYtZWRmMy00MjJiLTll
MjQtMTljNjZmMmViYWU1MQ4wDAYDVQQLDAV0ZWFtMTENMAsGA1UECwwEb3JnMTEO
MAwGA1UECwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5kpzf9KLu
FMI1DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzM
GLOXnpoZ6JzOo4G+MIG7MA4GA1UdDwEB/wQEAwIAgDAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFAPv72m50bw6Uz0kfAjHA7nS0fSUMB0GA1UdDgQWBBTaOaPuXmtL
DTJVv++VYBiQr9gHCTBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJhbGxvd19pbnZv
a2UiOnRydWUsImhmLlR5cGUiOiJhZG1pbiIsImhmLkFmZmlsaWF0aW9uIjoib3Jn
MS50ZWFtMSJ9fTAKBggqhkjOPQQDAgNIADBFAiBoMtxoHXqQrgoQgYAMb5uOZFxD
d/rcwbIRMCswVaqMpgIhANGfg4EHvT4gdOVtmRajXLyzyiNAPEyiEwMQ7RoeyK+g
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKlUqQnd/R70FJPSX
RLii3o7t0//f37fIVgU4fvI6SY6hRANCAAR5kpzf9KLuFMI1DYF+a/YXucDPdL+X
4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzMGLOXnpoZ6JzO
-----END PRIVATE KEY-----
When I download the cert as pem, the private key is changed
az keyvault secret download --file "./text" --id https://myvault.vault.azure.net/secrets/sample/6d5505d2d0cd4d2285c80dc5a259c61c
I got a different private key.
-----BEGIN PRIVATE KEY-----
MIGiAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgKlUqQnd/R70FJPSX
RLii3o7t0//f37fIVgU4fvI6SY6gCgYIKoZIzj0DAQehRANCAAR5kpzf9KLuFMI1
DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzMGLOX
npoZ6JzOoA0wCwYDVR0PMQQDAgCA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICbDCCAhKgAwIBAgIGAXQ5qjdkMAoGCCqGSM49BAMCMDUxMzAxBgNVBAMTKmNh
LmhsZjA2MThvcmRlcmVyLm1pY3Jvc29mdC5ibG9ja2NoYWluLmNvbTAeFw0yMDA4
MjkxMDAxMzBaFw0yMTA4MjkxMDAxMzBaMIGDMVIwUAYDVQQDDEk3MmY5ODhiZi04
NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcuMjRkN2IwNmYtZWRmMy00MjJiLTll
MjQtMTljNjZmMmViYWU1MQ4wDAYDVQQLDAV0ZWFtMTENMAsGA1UECwwEb3JnMTEO
MAwGA1UECwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5kpzf9KLu
FMI1DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzM
GLOXnpoZ6JzOo4G+MIG7MA4GA1UdDwEB/wQEAwIAgDAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFAPv72m50bw6Uz0kfAjHA7nS0fSUMB0GA1UdDgQWBBTaOaPuXmtL
DTJVv++VYBiQr9gHCTBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJhbGxvd19pbnZv
a2UiOnRydWUsImhmLlR5cGUiOiJhZG1pbiIsImhmLkFmZmlsaWF0aW9uIjoib3Jn
MS50ZWFtMSJ9fTAKBggqhkjOPQQDAgNIADBFAiBoMtxoHXqQrgoQgYAMb5uOZFxD
d/rcwbIRMCswVaqMpgIhANGfg4EHvT4gdOVtmRajXLyzyiNAPEyiEwMQ7RoeyK+g
-----END CERTIFICATE-----
Why is the private key changing? How can I get the same private key that I had imported?
According to the az command you provided, you import certificate as azure key vault secret.
If so, the certificate content you sent will be the same as the secret value you get.
As I have test, when I import cert as secret. Then I retrieve the same secret value.
So, try to recreate a new secret and import again.
Related
I would like to save a private key to Azure Key Vault. I’m able to get it working specify a file path to the private key, but not able to get it working using the value parameter in the cli command.
I have an ocotpus variable with the private key (senstitive text). Im assigning the private key to a variable
$privateKeyValue = $OctopusParameters["PrivateKey"]
The content of the variable is
-----BEGIN OPENSSH PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBbBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc
-----END OPENSSH PRIVATE KEY-----
I then call the cli command
az keyvault secret set --name $filename --vault-name $keyvaultname --value $privateKeyValue
but the only thing that is saved to the Azure Key Vault is the first line
-----BEGIN OPENSSH PRIVATE KEY-----
How do I solve this issue which seem pretty trivial?
A software system from a collaborating company needs to connect to one of our systems and authenticate against our Azure-B2C Directory. They would like to verify the signature in our JWT Token returned.
I have created a RSA Public Key using the approach described in this topic:
Azure AD B2C - Token validation does not work
This has resulted in the following RSA Public Key:
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END RSA PUBLIC KEY-----
I've used this RSA Public Key to verify the signature of my token in jwt.io, and it works.
The collaborating company however needs a PEM certificate like this:
-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA959e/O3gE574tAdjfjE6
+6OgTBsTGGbDTHBn/w137OTKoH3MnbOX16rrfumVZOr2GisCtIwxJM8ziiqvG1Fj
*more key*
-----END CERTIFICATE-----
Modifying the PEM Header of my RSA Public Key does not work.
So now my question is: Is it possible to convert my RSA Public Key to the appropriate Certificate format? If yes, how?
I have a .crt file. Opening up that file, I see that it starts with
-----BEGIN CERTIFICATE-----
From this file, how do I generate these 2 files?:
Certificate request file that starts with -----BEGIN CERTIFICATE REQUEST-----
Key file that starts with -----BEGIN PRIVATE KEY-----
You can not.
You have the process backwards.
The order is:
Generate a key, that is in fact a public and private part. So that would create the "PRIVATE KEY" file
Generate a CSR, that is a certificate signing request. This is computed based on the private key, without including it. But it includes your public key and other metadata
Give this CSR to a Certificate Authority, that will in turn give you back a certificate, that is something that includes your public key but that is also signed by the CA private key.
After which the CSR could be discarded.
If anyone could derive the private key from the certificate (which is basically the public key) then X.509 certificates would create no security by authentication as anyone would be able to impersonate any host/user/application.
I have a python flask app where I created a cert and key file using ssl and put that in the code as follows
if __name__=='__main__':
context=('cert.crt','keys.key')
app.run('0.0.0.0',ssl_context=context,debug=True)
However they are not valid. In the server I have deployed the code there are 2 files 'sslca-chain.der' and 'SSLCA-Chain.pem'. How do I use that in the code instead of the above?
The two files you have mentioned are the same thing (chain certificates) just in different formats.
It is best to configure a reverse proxy (like nginx) to handle the SSL stuff rather than include it in your flask application.
Python only handles PEM format files natively.
However, if you must - you need two files - the certificate file, and the key file.
If you got your certificate from a third party CA, then they will provide you the certificate file.
The key file is always with you, and should be kept secret.
Since you have a certificate chain, you must provide a custom context to the application and include all the files in your chain, as the load_cert_chain method only takes one argument for the certificate file.
So, in short what you have to do is:
Make sure your PEM file contains your server certificate.
Create a custom context with the PEM file and your key file.
Pass this custom context to Flask
A PEM file is just a text file that contains all the certificates in a specific order; the order is:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate)
-----END CERTIFICATE-----
The -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are important and should be included
Once you have verified that your PEM file contains your server certificate, here is how you would configure it for flask:
import ssl
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # use TLS to avoid POODLE
ctx.load_cert_chain('/path/to/sslca-chain.pem', '/path/to/server.key')
app.run('0.0.0.0',ssl_context=ctx,debug=True)
Sometimes, I see users use a private key and passphrase to log in.
So, does it mean the public key is stored on the log in server?
What's the purpose of the pass phrase?
Yes, the server stores the public key, and the client stores the private key. A security feature to prevent stolen private keys from being useful to the thief is to encrypt them. The passphrase allows you to decrypt the private key to use it. Without the passphrase, the key is useless.
You know whether a key is encrypted generally by looking at the PEM header surrounding it. For example, a DSA private key encrypted with 3DES in PEM format might look like this:
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BF6892D860EC969F
<encrypted key data here>
-----END DSA PRIVATE KEY-----
Whereas an unencrypted DSA private key in PEM format would not have a header saying it's encrypted:
-----BEGIN DSA PRIVATE KEY-----
<unencrypted key data here>
-----END DSA PRIVATE KEY-----