KeyVault生成的证书具有可导出的私钥 [英] KeyVault generated certificate with exportable private key

问题描述

我正在尝试使用"Self"颁发者在 KeyVault中创建自签名证书.

I'm attempting to create a self signed certificate in KeyVault using the "Self" issuer.

$policy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=$($certificateName)" -IssuerName "Self" -ValidityInMonths 12 

$policy.Exportable = $true

Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $policy

但是，找回证书时，它似乎没有私钥.

However, when getting the certificate back it doesn't appear to have a private key.

在深入研究其余的API文档和powershell cmdlet的源代码之后，我似乎很难在网上直接在KeyVault中创建证书.

Creating certificates directly in KeyVault doesn't seem hugely covered online, after digging into the rest API documentation and source code for the powershell cmdlets, I'm stumped.

我希望我错过了一些简单的事情，因为我希望避免在本地创建证书.

I'm hoping it's something simple I've missed, as I wish to avoid creating the certificate locally..

推荐答案

如果要检索证书及其私钥，则可以将其导出到磁盘上的PFX文件(使用空密码)中通过:

If you'd like to retrieve your certificate along with its private key, then you can export it to a PFX file (with an empty password) on your disk via:

$vaultName = "my-vault-name"
$certificateName = "my-cert-name"
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx"

$pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
$pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText)
[IO.File]::WriteAllBytes($pfxPath, $pfxUnprotectedBytes)

如果您只想在内存中查看私钥本身而不写入磁盘，请尝试:

If you'd like to view just the private key itself in-memory without writing to disk, then try:

$vaultName = "my-vault-name"
$certificateName = "my-cert-name"
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx"

$pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
$pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText)
$pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($pfxUnprotectedBytes, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfx.PrivateKey.ExportParameters($true)

除了指数和模数外，还将显示私有参数.

which will show the private parameters in addition to the exponent and modulus.

如果您想用自己的密码保护磁盘上的PFX文件(按照

If you'd like to protect the PFX file on disk with your own password (as per the "Retrieve pfx file & add password back" instructions in this blog post), then try:

$vaultName = "my-vault-name"
$certificateName = "my-cert-name"
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx"
$password = "my-password"

$pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName
$pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText)
$pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($pfxUnprotectedBytes, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxProtectedBytes = $pfx.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
[IO.File]::WriteAllBytes($pfxPath, $pfxProtectedBytes)

---

如REST API文档

---

As mentioned in the REST API docs here and here, Azure Key Vault (AKV) represents a given X.509 certificate via three interrelated resources: an AKV-certificate, an AKV-key, and an AKV-secret. All three will share the same name and the same version - to verify this, examine the Id, KeyId, and SecretId properties in the response from Get-AzureKeyVaultCertificate.

这3种资源中的每一种都为查看给定的X.509证书提供了不同的视角:

Each of these 3 resources provide a different perspective for viewing a given X.509 cert:

• AKV证书提供X.509证书的公钥和证书元数据.它包含公钥的模数和指数(n和e)，以及其他证书元数据(缩略图，到期日期，主题名称等).在PowerShell中，您可以通过以下方式获取此信息:

• The AKV-certificate provides the public key and cert metadata of the X.509 certificate. It contains the public key's modulus and exponent (n and e), as well as other cert metadata (thumbprint, expiry date, subject name, and so on). In PowerShell, you can obtain this via:

(Get-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName).Certificate

• AKV密钥提供X.509证书的私有密钥.如果将相应的证书标记为不可导出，则对执行加密操作(例如签名)很有用.在PowerShell中，您只能通过以下方式获取此私钥的公共部分:
• The AKV-key provides the private key of the X.509 certificate. It can be useful for performing cryptographic operations such as signing if the corresponding certificate was marked as non-exportable. In PowerShell, you can only obtain the public portion of this private key via:

(Get-AzureKeyVaultKey -VaultName $vaultName -Name $certificateName).Key

• AKV秘密提供了一种导出完整的X.509证书的方法，包括其私钥(如果其策略允许导出私钥).如上所述，可以在PowerShell中通过以下方式获取当前的base64编码证书:
• The AKV-secret provides a way to export the full X.509 certificate, including its private key (if its policy allows for private key exporting). As demonstrated above, the current base64-encoded certificate can be obtained in PowerShell via:

(Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName).SecretValueText

这篇关于KeyVault生成的证书具有可导出的私钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！