Azure Key Vault下载带有私钥的证书
我正在尝试下载我在几个密钥库中的证书,包括它们的私钥。通过Azure Portal,我可以在没有问题的情况下进行操作,只需进入密钥库,选择证书并点击“PFX/PEM格式下载”。
由于我必须在几个钥匙库上重复相同的操作,我正在寻找一种自动化的方法来完成它。到目前为止,我得出以下结论:
$objCertificate = (Get-AzKeyVaultCertificate -VaultName <Key Vault> -Name <Certificate Name>).Certificate
$bytCertificate = $objCertificate.Export('pfx',<Password>)
$strCertificate = [System.Convert]::ToBase64String($bytCertificate)
$strPath = Join-Path $env:TEMP "$($objCertificate.Subject).pfx"
$bytCertificate | Set-Content -Path $strPath -Force -Encoding Byte
共有1个答案
为了获得私钥,您需要将其作为一个秘密(是的,这很奇怪),我在PowerShell中没有答案,但我希望下面的C#代码能给您一些如何实现的提示。
/// <summary>
/// Load a certificate (with private key) from Azure Key Vault
///
/// Getting a certificate with private key is a bit of a pain, but the code below solves it.
///
/// Get the private key for Key Vault certificate
/// https://github.com/heaths/azsdk-sample-getcert
///
/// See also these GitHub issues:
/// https://github.com/Azure/azure-sdk-for-net/issues/12742
/// https://github.com/Azure/azure-sdk-for-net/issues/12083
/// </summary>
/// <param name="config"></param>
/// <param name="certificateName"></param>
/// <returns></returns>
public static X509Certificate2 LoadCertificate(IConfiguration config, string certificateName)
{
string vaultUrl = config["Vault:Url"] ?? "";
string clientId = config["Vault:ClientId"] ?? "";
string tenantId = config["Vault:TenantId"] ?? "";
string secret = config["Vault:Secret"] ?? "";
Console.WriteLine($"Loading certificate '{certificateName}' from Azure Key Vault");
var credentials = new ClientSecretCredential(tenantId: tenantId, clientId: clientId, clientSecret: secret);
var certClient = new CertificateClient(new Uri(vaultUrl), credentials);
var secretClient = new SecretClient(new Uri(vaultUrl), credentials);
var cert = GetCertificateAsync(certClient, secretClient, certificateName);
Console.WriteLine("Certificate loaded");
return cert;
}
/// <summary>
/// Helper method to get a certificate
///
/// Source https://github.com/heaths/azsdk-sample-getcert/blob/master/Program.cs
/// </summary>
/// <param name="certificateClient"></param>
/// <param name="secretClient"></param>
/// <param name="certificateName"></param>
/// <returns></returns>
private static X509Certificate2 GetCertificateAsync(CertificateClient certificateClient,
SecretClient secretClient,
string certificateName)
{
KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);
// Return a certificate with only the public key if the private key is not exportable.
if (certificate.Policy?.Exportable != true)
{
return new X509Certificate2(certificate.Cer);
}
// Parse the secret ID and version to retrieve the private key.
string[] segments = certificate.SecretId.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries);
if (segments.Length != 3)
{
throw new InvalidOperationException($"Number of segments is incorrect: {segments.Length}, URI: {certificate.SecretId}");
}
string secretName = segments[1];
string secretVersion = segments[2];
KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion);
// For PEM, you'll need to extract the base64-encoded message body.
// .NET 5.0 preview introduces the System.Security.Cryptography.PemEncoding class to make this easier.
if ("application/x-pkcs12".Equals(secret.Properties.ContentType, StringComparison.InvariantCultureIgnoreCase))
{
byte[] pfx = Convert.FromBase64String(secret.Value);
return new X509Certificate2(pfx);
}
throw new NotSupportedException($"Only PKCS#12 is supported. Found Content-Type: {secret.Properties.ContentType}");
}
}
}
-
因此,我正在通过 SAML2.0 为我们的应用程序实现 SSO。我们正在使用 saml2-js,并且我们正在执行 SP 启动的 SSO。 实现已经准备好了,它正在工作,但是有几个部分我还在纠结。 saml2-js要求您在ServiceProvider实例上提供私钥和证书-
-
这是个新手问题。我正在尝试使用以下方法加载.der证书: 有效吗?我如何在代码中得到它?
-
Auth0提供了两个JWT库,一个用于Node:Node jsonwebtoken,另一个用于Java:Java JWT。事实证明,JavaJWT不支持公钥/私钥对。 然而,另一个java库jjwt库声称支持该特性。但是,该文档没有显示如何在jjwt中使用自己的公钥/私钥对。 我创建了私有/公钥对,并在Node中成功地使用了node-jsonwebToken: 但是我发现在Java中用JWT无法做
-
我正在使用Mac上的ssh-keygen生成的公钥/私钥设置文件到服务器的SFTP传递。我生成的私钥看起来与代码库中的其他私钥不同(它没有标头,是“OpenSSH私钥”而不是“RSA私钥”)。
-
我试图用saml修改spring boot安全性的一个示例程序。https://github.com/vdenotaris/spring-boot-security-saml-sample.我从身份提供者那里获得了证书(.crt),并尝试创建一个示例密钥库(.jks),以在集成到应用程序之前测试我的连接性。我按照以下步骤创建证书。 创建密钥存储 当我试图列出我的密钥库时,我有一个私钥 列出密钥库
-
a.从存储区提取现有证书密钥: b.从导出的证书中提取私钥: 没有证书与私钥匹配 我错过了什么?为什么我的最后一个命令不合法? 我计划执行“keytool-importkeystore”文件。p12(应该在最后一步中生成)来替换“keystore”中的“一个”privateKeyEntry。正如在如何导入Java keystore中现有的x509证书和私钥以便在SSL中使用中所建议的?。基本上,我