如何从Azure Key Vault KeyBundle创建X509Certificate2对象 [英] How can I create an X509Certificate2 object from an Azure Key Vault KeyBundle

问题描述

我正在使用Azure Key Vault保护我们的密钥和机密，但是我不确定如何使用通过.net SDK检索到的KeyBundle.如何创建X509Certificate2对象?

I am using Azure Key Vault to protect our keys and secrets, but I am unsure how I can use the KeyBundle I retrieve using the .net SDK. How can I create an X509Certificate2 object?

推荐答案

在KeyVault中导入/创建证书时，将创建3个实体:

When you import / create a certificate in KeyVault, 3 entities are created:

• 证书-包含有关证书的所有相关详细信息，包括其公开部分(即公钥，有效期，指纹等)

• Certificate - contains all the relevant details about the certificate, including its public part (i.e. public key, validity period, thumbprint etc.)

秘密-在base64中包含私有密钥(这是证书的私有部分)

Secret - contains the private key (which is the private part of the certificate) in base64

键-我不知道，但是与该线程无关.

Key - I don't know, but irrelevant for this thread.

您可以使用证书对象或秘密对象创建 X509Certificate2 对象.

You could create X509Certificate2 object with either the Certificate object or the Secret object.

如果您希望 X509Certificate2 包含私钥，那么您当然需要获取Secret实体的值并执行以下操作:

In case you want the X509Certificate2 to contain the private key, then of course you would need to fetch the Secret entity's value and do the following:

SecretBundle certificatePrivateKeySecretBundle =
    await keyVaultClient.GetSecretAsync(certificateIdentifierSecretPart);

byte[] privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value);
X509Certificate2 certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string) null, X509KeyStorageFlags.MachineKeySet);

certificateIdentifierSecretPart 等于证书的秘密部分路径: https://< vault名称> .vaults.azure.net/secrets/<证书名称>

The certificateIdentifierSecretPart equals the certificate's secret part path: https://<vault name>.vaults.azure.net/secrets/<certificate name>

请注意/secrets/路径.

这篇关于如何从Azure Key Vault KeyBundle创建X509Certificate2对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！