无法“导入证书"在 PowerShell 中使用 API [英] Unable to "Import Certificate" using API in PowerShell

问题描述

我有一个自签名证书，我正在尝试将其导入 Azure Key Vault 证书，但我遇到了问题.我不是使用 Import-AzKeyVaultCertificate 命令，而是使用 API.

我能够通过 API 路由成功地创建一个密钥，但是我一生都无法导入证书.仅供参考，当我通过 Azure DevOps 管道执行此操作时它也可以使用，因此我知道服务原则不是问题.

这是我创建证书的方式(通过本地 PowerShell - 此处的所有示例都将是本地的，而不是用于 Azure DevOps):

$certroopath = "C:\cert"$location = "eastus"$vmName = "arsmpvm"$certname = "$vmName"$certpassword = "P@ssw0rd1234"$cert = New-SelfSignedCertificate -DnsName "$certname" -CertStoreLocation cert:\LocalMachine\My$pwd = ConvertTo-SecureString -String $certpassword -Force -AsPlainText$certwithThumb = "cert:\localMachine\my\"+$cert.Thumbprint$filepath = "$certroopath\$certname.pfx"导出-PfxCertificate -cert $certwithThumb -FilePath $filepath -Password $pwdRemove-Item -Path $certwithThumb

以下是我通过 POST 操作导入证书的方法:

$pfxcontent = Get-Content 'C:\cert\arsmpvm.pfx' -Encoding Byte$base64Stringpfxcontent = [System.Convert]::ToBase64String($pfxcontent)#有效载荷$json_new = '{"value": "$base64Stringpfxcontent","pwd": "$pwd",政策": {key_props":{可出口":真的，"kty": "RSA",key_size":2048，reuse_key":假},secret_props":{"contentType": "应用程序/x-pem-文件"}}}'$header = @{Authorization = "Bearer " + $token.access_token}Invoke-RestMethod -Method Post -Uri "https://$kvname.vault.azure.net/certificates/$certname/import?api-version=7.0" -Body $json_new -Headers $header -ContentType "application/json"

这是我抛出的错误:Invoke-RestMethod : {"error":{"code":"BadParameter","message":"指定的 PEM X.509 证书内容格式异常.请检查证书是否为有效的 PEM 格式."}}

即使我将 $base64Stringpfxcontent(在 $json_new 中)的值替换为它的内容，就像一个 3500 个字符的字符串，我也会遇到同样的问题.即使我将 $pwd 更改为其硬编码值，即 P@ssw0rd1234，我也会抛出相同的错误.

引用自:

解决方案

如果你在 '' 中使用了 $base64Stringpfxcontent 和 $pwd，它们将被识别为字符串而不是变量，并且来自

签入门户:

I have a self signed certificate that I am trying to import to Azure Key Vault Certificate, and I am facing issues. I am not doing it using the Import-AzKeyVaultCertificate command, but using the API.

I was successfully able to create a Key via the API route, but for the life of me, I am not able to Import a certificate. FYI, it also works when I do it over an Azure DevOps pipeline, so I know the Service Principle isn't the issue.

Here's how I am creating the certificate (over PowerShell locally - all examples here will be local and not for Azure DevOps):

$certroopath = "C:\cert"
$location = "eastus"
$vmName = "arsmpvm"
$certname = "$vmName"
$certpassword = "P@ssw0rd1234"

$cert = New-SelfSignedCertificate -DnsName "$certname" -CertStoreLocation cert:\LocalMachine\My
$pwd = ConvertTo-SecureString -String $certpassword -Force -AsPlainText
$certwithThumb = "cert:\localMachine\my\"+$cert.Thumbprint
$filepath = "$certroopath\$certname.pfx"
Export-PfxCertificate -cert $certwithThumb -FilePath $filepath -Password $pwd
Remove-Item -Path $certwithThumb 

Here's how I am importing the certificate over a POST operation:

$pfxcontent = Get-Content 'C:\cert\arsmpvm.pfx' -Encoding Byte
$base64Stringpfxcontent = [System.Convert]::ToBase64String($pfxcontent)

#The payload
$json_new = '{
  "value": "$base64Stringpfxcontent",
  "pwd": "$pwd",
  "policy": {
    "key_props": {
      "exportable": true,
      "kty": "RSA",
      "key_size": 2048,
      "reuse_key": false
    },
    "secret_props": {
      "contentType": "application/x-pem-file"
    }
  }
}'

$header = @{Authorization = "Bearer " + $token.access_token}
Invoke-RestMethod -Method Post -Uri "https://$kvname.vault.azure.net/certificates/$certname/import?api-version=7.0" -Body $json_new -Headers $header -ContentType "application/json"

Here's the error I am thrown: Invoke-RestMethod : {"error":{"code":"BadParameter","message":"The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format."}}

Even if I replace the value of $base64Stringpfxcontent (in $json_new) to the content of it, which is like a 3500 char string, I get the same issue. Even if I change $pwd to its hard-coded value, which is P@ssw0rd1234, I am thrown the same error.

Reference taken from: https://docs.microsoft.com/en-us/rest/api/keyvault/importcertificate/importcertificate

Screenshot of the error:

解决方案

If you use the $base64Stringpfxcontent and $pwd in '', they will be recognized as string instead of variable, and from the doc, the pwd is string, you could not use a SecureString instead of it, you need to pass P@ssw0rd1234 directly to the request body.

Try the script below, it works fine on my side.

$kvname = "joykeyvault"
$certname = "testcer123"

$pfxcontent = Get-Content 'C:\Users\joyw\Desktop\arsmpvm.pfx' -Encoding Byte
$base64Stringpfxcontent = [System.Convert]::ToBase64String($pfxcontent)

$json_new = @{
  value= $base64Stringpfxcontent
  pwd= "P@ssw0rd1234"
  policy= @{
    secret_props= @{
      contentType= "application/x-pkcs12"
    }
  }
}

$json = $json_new | ConvertTo-Json

$header = @{Authorization = "Bearer " + $token.access_token}
Invoke-RestMethod -Method Post -Uri "https://$kvname.vault.azure.net/certificates/$certname/import?api-version=7.0" -Body $json -Headers $header -ContentType "application/json"

Check in the portal:

这篇关于无法“导入证书"在 PowerShell 中使用 API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！