在Azure Key Vault密钥中上载pem文件 [英] Getting pem file uploaded in Azure Key Vault Keys

问题描述

我已经通过azure门户将pem文件上传到Azure Key Vault Keys，并尝试了以下功能以使用"azure-keyvault": "^3.0.0-preview",

I have uploaded a pem file to Azure Key Vault Keys via azure portal and tried below function to get the data using "azure-keyvault": "^3.0.0-preview",

client.getKey(vaultUri, keyName, keyVersion,  {maxresults : 10}, function(err, result)  {
    if (err) throw err;

    console.log(result,'-----------key-');   
})

结果

{ key:
    { 
     kid: 'https://test.vault.azure.net/keys/test/1123123123lksldkf',
     kty: 'RSA',
     keyOps: [ 'sign', 'verify', 'wrapKey', 'unwrapKey', 'encrypt', 'decrypt' ],
     n: <Buffer  ... >,
     e: <Buffer > 
    },
    attributes: { enabled: true,
     created: 2016-02-09T08:48:27.000Z,
     updated: 2016-02-09T08:48:27.000Z,
     recoveryLevel: 'Purgeable'
    } 
} 

如何从result下载pem文件，非常感谢您的帮助.我对天蓝色保险库非常陌生，并尝试使用keys, secrets and certificates进行一些尝试.

How can i download the pem file from the result , any help is much appreciated. I'm pretty much new to azure vault and trying out few things with keys, secrets and certificates.

推荐答案

一旦获得证书，就无法从Azure Key Vault下载证书文件(无论是.pem还是.pfx)形式的密钥.已上传到密钥商店. Azure Key Vault中的密钥专门用于签名/加密/解密操作.返回JSON是JWT(Json Web令牌)的格式，仅包含存储密钥的公共部分.这基本上意味着不可能将输出转换为PEM或X.509的形式.

You cannot download key in form of a cert file (whether is .pem or .pfx) from Azure Key Vault once the cert is uploaded to Keys store. Keys in Azure Key Vault is used purposely for signing/encrypting/decrypting operation. The return JSON is a format of JWT (Json Web Token) which only contains public part of your stored key. This basically means converting the output to form of PEM or X.509 is not possible.

使用密钥，您可以备份密钥，但是备份也受到Azure Key Vault内部的保护，您无法检索或请求获取密钥主体内容.备份很有用，以防万一您丢失密钥并想恢复它.

Using Keys, you can back up your key but the backup is also protected inside Azure Key Vault which you have no way to retrieve or request to get the key body content. The backup is helpful in case you lose the key and want to recover it.

(可能不在问题范围内，但我想介绍)

(might not in scope of the question but I'd love to introduce)

如果将证书上载到证书存储，则只能导出x509证书的CER内容并生成一个.cer文件.您不能导出包括私钥在内的整个密钥.

If you upload your certificate into Certificates store, you can only export CER contents of x509 certificate and generate a .cer file. You cannot export the entirely key including private key.

如果您以秘密形式将证书(说一个.pfx文件)上传到Azure Key Vault，则可以使用以下几种方法以编程方式将其下载到客户端:

If you upload your certificate (saying a .pfx file) to Azure Key Vault in form of a secret, you can download it to your client programatically using a few of the ways below:

• 使用GetSecretAsyn()
• 调用KeyVault REST API

这两种方式都需要秘密标识符和访问令牌(Azure Active Directory为您提供).然后，您需要将返回值从Base64转换为字节，然后以 .pfx 文件的形式将其写入客户端.

Both of the ways require secret identifier and access token (which Azure Active Directory gives you). You will then need to convert the return value from Base64 to the byte and write it into your client in form of .pfx file.

下面是我在异步模式下使用HttpClient生成我的上载PFX文件(来自Secrets存储)的示例代码

Below is the sample code that I used HttpClient in asynchornous mode to generate my uploaded PFX file (from Secrets store)

    public static async Task<string> GetSecret(HttpClient client)
    {
        string url = $"/secrets/cert01?api-version=2016-10-01";

        using (var httpResponse = await client.GetAsync(url))
        {
            httpResponse.EnsureSuccessStatusCode();
            string responsContent = await httpResponse.Content.ReadAsStringAsync();
            JObject jsonKv = JObject.Parse(responsContent);
            string secretBody = jsonKv["value"].ToString();
            return secretBody;
        }
    }

    public static async Task ExportPfx()
    {
        string filePath = @"test02.pfx";

        var key = await GetSecret();
        byte[] encodedText = Encoding.Unicode.GetBytes(key);
        using (FileStream sourceStream = new FileStream(filePath, FileMode.Append, FileAccess.Write, FileShare.None, bufferSize: 4096, useAsync: true))
        {
            await sourceStream.WriteAsync(encodedText, 0, encodedText.Length);
        }

    }

导出证书后，转到将其导入本地计算机并验证其是否具有相同的指纹和其他规格.

After the certificate is exported, go to import it to your local machine and verify if it has the same thumbprint and other specs.

注意:从Key Vault导出的证书(作为秘密)没有密码，即使您在上载到Secret store时进行了设置.

Note: the exported certificate (as a secret) from Key Vault has no password even you set it when uploading to Secret store.

这篇关于在Azure Key Vault密钥中上载pem文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！