如何从Azure导入证书？ [英] How to import certificate from Azure?

问题描述

我们通过 Azure 购买了证书，并希望在同一 VM 上使用它。
我们只需要 .pfx 文件。

We bought a certificate via Azure and would like to use it on same VM. We just need .pfx file.

我们几乎尝试了所有操作，并且遇到下一个错误：

We tried almost everything and we are getting next error:

您没有获得将证书保险柜分配给证书所需的服务基本信息
的权限，请使用
帐户登录，该帐户是订阅的所有者或
的管理员， Active Directory来配置密钥保管库设置。

"You do not have permission to get the service prinicipal information needed to assign a Key Vault to your certificate. Please login with an account which is either the owner of the subscription or an admin of the Active Directory to configure Key Vault settings."

但是我们有权限...

But we have permissions...

推荐答案

@Sasha，这里没有太多细节要讲，鉴于您已经尝试了所有方法，我不愿意指出显而易见的内容，但是错误消息非常清楚- 您无权获取所需的服务主体信息。

@Sasha, there are not a lot of details to go on here and I hate to state the obvious given you've tried everything, but the error message is pretty clear - "You do not have permission to get the service principal information needed".

一些需要澄清和检查的事情：

Some things to clarify and check:

1. 您是否购买了Azure应用服务证书？


2. 证书是否处于已发布状态？


3. 您是否以订阅所有者身份登录或所有者给了您？管理员访问其订阅？我相信，后者还不够好。


4. 您是否完成了三步验证过程？

1. Did you buy an Azure "App Service Certificate"?
2. Is the certificate in 'issued' status?
3. Are you logged in as the subscription owner or did the owner give you admin access to their subscription? The latter is not good enough, I believe.
4. Did you complete the three-step validation process?

如果已执行所有操作，则证书现在存储在Azure Key Vault中。创建Azure Key Vault时，启用对Azure虚拟机的访问以进行部署有一个高级访问策略选项（请参见图）。其帮助信息为：指定是否允许Azure虚拟机从密钥库中检索作为秘密存储的证书。

If you did all of that, your certificate is now stored in an Azure Key Vault. When you create an Azure Key Vault, there is an advanced access policy option to "Enable Access to Azure Virtual Machines for deployment" (see image). Its help info reads, "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."

由于您需要一个.pfx文件，因此以下是从MSDN博客中提取的示例PowerShell脚本来执行此操作。为下面的四个 $参数提供适当的值，并将脚本另存为copyasc.ps1。

That said, since you want a .pfx file, below is a sample PowerShell script extracted from MSDN blogs to do just that. Provide appropriate values for the four "$" parameters below and save the script as copyasc.ps1.

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

在PowerShell控制台中键入以下命令执行脚本：

Type the following commands in PowerShell console to execute the script:

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

执行脚本后，您将在当前目录中看到一个名为 appservicecertificate.pfx的新文件。这是受密码保护的PFX，PowerShell控制台将显示相应的密码。

Once the script is executed, you would see a new file in the current directory called ‘appservicecertificate.pfx’. This is a password protected PFX, the PowerShell console would display the corresponding password.

这篇关于如何从Azure导入证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！