Azure-cli: azure cli - download certificate as pfx format

Created on 4 Oct 2018 · 7Comments · Source: Azure/azure-cli

az keyvault certificate download --file
[--encoding {DER, PEM}]
On azure web-portal (also in PS) there is an option to download as pfx. Why it is missing in az cli then?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: a9c661d7-bf43-5354-015e-3859f30a42a2
Version Independent ID: fa69e552-5904-ce97-d02c-915c819bdde1
Content: az keyvault certificate
Content Source: src/command_modules/azure-cli-keyvault/azure/cli/command_modules/keyvault/_help.py
Service: key-vault
GitHub Login: @rloutlaw
Microsoft Alias: routlaw

KeyVault

Source

borqosky

👍4

Most helpful comment

@bradwilson :+1: thx, but still there in inconsistent API between CLI and Powershell (with Azure Portal).
IMHO at least it should be mentioned in the docs how to download pfx through CLI with your workaround.

borqosky on 26 Oct 2018

👍10

All 7 comments

You can do that today in two steps.

First, download the certificate with az keyvault secret download, which will download the raw PFX as Base64-encoded text. Then undo the Base64 encoding, and you have the binary PFX file.

I don't know why, but the certificate APIs only want to return the public part of the certificate, which is why az keyvault certificate download doesn't offer PFX as an option. If you download the certificate as a secret (even though it's not a secret), it downloads the raw PFX (with no password).

Go figure. 🤷‍♂️

Edit: You can specify --encoding base64 and it will un-encode it for you automatically.

bradwilson on 18 Oct 2018

👍8

borqosky on 26 Oct 2018

👍10

My use case was getting the pfx from keyvault and upload that in Azure Apim instance, we tried what @bradwilson has suggested and then uploaded the pfx via Rest API.

A catch is in APIM UI the password is mandatory however if you upload via Rest API with empty password, not sure if that is the best option but that has worked.

apurvc on 30 Sep 2019

My use case is:
Generate pem with cert and key, after this imported in azure:
az keyvault certificate import --file certandkey.pem --name test --vault-name kevaulttest

When download in Azure:
az keyvault certificate download --vault-name kevaulttest -n test -f certificate.pem

Only certificate with:

-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

Private key not show in certificate.pem

But when I download the secret, comes the private key + certificate

cristhianbicca on 2 Oct 2019

This is just how these APIs work in Azure Key Vault. The "get certificate" API is only intended to permit access to the public part of the certificate; if you need access to the private key, then you request the certificate through the "get secret" API.

bradwilson on 2 Oct 2019

I had to use the cert in a tomcat server. The problem was that the downloaded cert didnt contain the password, hence I had to import and then export the cert again with the password.

Here is the code :
az keyvault secret download \
--file inputCert.pfx \
--vault-name MyKeyvault \
--encoding base64 \
--name inputCert \
2>&1 \
| tee -a $SETUP_LOG

echo "Converting downloaded cert to pem format"
openssl pkcs12 -in inputCert.pfx -out temp.pem -nodes -password pass:""

echo "Converting the cert with the password"
openssl pkcs12 -export -out outputCert.pfx -in temp.pem -password pass:"yourpassword"

akshita31 on 31 Dec 2019

👍3 🚀1

I import a pkcs12 certificate via the cli but cannot get it back?
why use key vault for this at all?
I'm going to store my certs as blobs.
This is not a vault, if I put something into a vault I expect to get it back exactly as it was when I put it in.