通过IKeyVaultClient.GetCertificateAsync检索到的Azure Key Vault证书没有私钥 [英] Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
问题描述
我有两种方法可以执行相同的操作,但是Azure已弃用了一种方法,而另一种方法则无效.
有效但不推荐使用的方法:
我将PFX存储在Azure Key Vault 秘密中. (当我创建机密时,我会看到一条警告,指出该功能已被弃用)
,并使用以下代码对其进行检索以创建我的证书:
SecretBundle secret = await keyVaultClient.GetSecretAsync(keyVaultUrl, "MyCert-Secret");
X509Certificate2Collection exportedCertCollection = new X509Certificate2Collection();
exportedCertCollection.Import(Convert.FromBase64String(secret.Value));
X509Certificate2 certFromSecret = exportedCertCollection.Cast<X509Certificate2>().Single(s => s.HasPrivateKey);
我能够使用此证书成功托管和访问我的应用程序.
这种方法行不通,但我应该使用:
我将证书存储在Azure密钥保管库证书
中,并使用以下代码对其进行检索并创建X509Certificate2:
CertificateBundle certificateBundle = await keyVaultClient.GetCertificateAsync(keyVaultUrl, "MyCert-Certificate");
X509Certificate2 certFromCertificate = new X509Certificate2(certificateBundle.Cer);
此方法的问题在于证书不包含私钥.即certFromCertificate.HasPrivateKey为false.
我的问题
为什么certFromSecret没有私钥,而certFromCertificate没有私钥?
如何从密钥库中检索证书,在那里我可以创建X509Certificate2对象以使用UseHttps将应用程序托管在Kestrel中.
@Adrian answer 的第二部分解释了关于Azure KV证书的概念非常好,我更改了以下代码,以获取包括私钥在内的完整证书:
SecretBundle secret = await kv.GetSecretAsync(keyVaultUrl, certName);
X509Certificate2 certificate =
new X509Certificate2(Convert.FromBase64String(secret.Value));
诀窍是使用GetSecretAsync而不是GetCertificateAsync.请参阅Adrian的答案,以了解为什么必须使用该机密来获得带有私钥的完整证书.
请注意,您应该使用Azure证书的属性页中的证书标识符"属性(URL带有"/secrets/").
I have 2 approaches to do the same thing, but Azure has deprecated the one that works, and the other method doesn't work.
The approach that works, but is deprecated:
I store my PFX in Azure Key Vault Secrets. (when I create the secret I see a warning stating that this feature is deprecated)
and use the following code to retrieve it to create my certificate:
SecretBundle secret = await keyVaultClient.GetSecretAsync(keyVaultUrl, "MyCert-Secret");
X509Certificate2Collection exportedCertCollection = new X509Certificate2Collection();
exportedCertCollection.Import(Convert.FromBase64String(secret.Value));
X509Certificate2 certFromSecret = exportedCertCollection.Cast<X509Certificate2>().Single(s => s.HasPrivateKey);
credits to this answer
I'm able to use this certificate to host and access my application successfully.
The approach that doesn't work, but I should be using:
I store my certificate in the Azure Key vault Certificates
and use the following code to retrieve it and create the X509Certificate2:
CertificateBundle certificateBundle = await keyVaultClient.GetCertificateAsync(keyVaultUrl, "MyCert-Certificate");
X509Certificate2 certFromCertificate = new X509Certificate2(certificateBundle.Cer);
The problem with this approach is that the certificate does not contain the private key. i.e. certFromCertificate.HasPrivateKey is false.
My Questions
Why does certFromSecret have the PrivateKey, while certFromCertificate doesn't?
How can I retrieve a certificate from the key vault, where I can create a X509Certificate2 object to host my application in Kestrel with UseHttps.
The 2nd part of @Adrian's answer explains the concepts around the Azure KV Certificates very well, and I have changed my code as below to get the full certificate including the private keys:
SecretBundle secret = await kv.GetSecretAsync(keyVaultUrl, certName);
X509Certificate2 certificate =
new X509Certificate2(Convert.FromBase64String(secret.Value));
The trick was to use GetSecretAsync instead of GetCertificateAsync. Please refer to Adrian's SO answer to see why the secret had to be used to get the full certificate with Private keys.
Note that you should use "Certificate identifier" property (url with "/secrets/") from Azure certificate's property page.
这篇关于通过IKeyVaultClient.GetCertificateAsync检索到的Azure Key Vault证书没有私钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
