Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding
Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding.
According to PCKS #12 we should have a password to protect the private key that is exported with the cert. Currently the key vault gives you a warning during export/download that no password is used, however it doesn't provide the capability to provide a passphrase.
Strangely enough the API Manager and other Azure Resources require imported certificates to have a passphrase. This makes the two services fairly incompatible.
It would be good if Certificates exported from KeyVaults have the option to protect the private key with a passphrase as per PKCS #12
it is unfortunately not the first time that I shake my head over the keyvault service, but this time...
for every Azure Service like Azure functions or Application gateway, you have to provide a password protected PFX. Which is good.
Therefore you create a protected PFX and opload it to keyvault, where the --password parameter gives you the oppotunity to specify the corresponding pass.
I thought, well the keyvault want to read all the informations from the pfx, so fine, i give the password.
but I was really astonished that when i downloaded the pfx with az keyvault secret download, the pfx was presented without password....
Also no hint in the documentation about that. well done MS.
the only solution is to encode the secured pfx with base64 and upload it as a secret. where you might end up with strange encoding behaviours etc...
Not only is this current design a hassle (as described in the below blog post), it poses clear security risks:
1. The PFX is downloaded in an unprotected state.
2. The user is forced to import the certificate to their local store before uploading it to another Azure resource.
I don't want this short-term exposure of a certificate critical to my service, let alone the responsibility to clean up the certificate from three locations on my machine after it's been uploaded.
I agree, exporting a private key without a passphrase is a security risk.
Customers can easily add a passphrase after the fact with OpenSSL.
Surely Microsoft can build that in to the export process before presenting the download.
Vengi Mutthineni commented
We need some quick fix for this...
1) I purchased azure certificate and stored in key valut
2) now i want to use this for "cloud service" classic web role
3) I can't access this certificate , and i have to download from KeyValut as "pfx"
4) while downloading pfx it didn't ask or prompt any password...
5) while uploading px it asks password, which does not make sense ...
6) this is crazy and poorly designed by MS. please fix this ASAP and provide a way to link purchased ssl certificate to "web role"
Kass Eisenmenger commented
Would be nice if this also included the ability to securely store the password used to import the cert as the export password automatically if it was uploaded with a password