Azure-cli: az keyvault command to download certificate private key?
Is there an Azure CLI command to download a certificate's private key? I've tried "az keyvault secret download" and "az keyvault certificate download" and both give me the certificate value.
I was able to download the certificate from the Portal in pem/pfx format but when I try to use openssl to split it, it asks for an import password which I don't have or know about.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: a9c661d7-bf43-5354-015e-3859f30a42a2
- Version Independent ID: fa69e552-5904-ce97-d02c-915c819bdde1
- Content: az keyvault certificate
- Content Source: src/azure-cli/azure/cli/command_modules/keyvault/_help.py
- Service: key-vault
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw
ynambiar
All 5 comments
hi @bim-msft could you pls help to have a look? Thanks.
yungezz
on 14 Feb 2020
@ynambiar Hi, for security concern, there is no way to download/show a private key from Key Vault, once it was imported/created, it can only be used via internal ways.
bim-msft
on 17 Feb 2020
Okay, thanks for the info @bim-msft
ynambiar
on 18 Feb 2020
@ynambiar I got both the private and public key exported using the following, worth noting in my test the certificate in keyvault had no password protection and was marked as exportable, the other key bits were using "az keyvault secret download" and in the vault URL even though its a certifcate we are after it must use "../secrets/.." instead of "../certificates/.."
az keyvault secret download --id https://
mattduguid
on 2 Oct 2020
@ynambiar I got both the private and public key exported using the following, worth noting in my test the certificate in keyvault had no password protection and was marked as exportable, the other key bits were using "az keyvault secret download" and in the vault URL even though its a certifcate we are after it must use "../secrets/.." instead of "../certificates/.."
az keyvault secret download --id https://
.vault.azure.net/secrets/ --file certificate.pem
@ynambiar @mattduguid I think this documentation pretty much sums up the behavior highlighted in the solution.
chirangaalwis
on 2 Dec 2020
Related issues
mmacy
·
3Comments
cicorias
·
3Comments
FumiakiNagano
·
3Comments
williexu
·
3Comments
derekperkins
·
3Comments
Most helpful comment
@ynambiar I got both the private and public key exported using the following, worth noting in my test the certificate in keyvault had no password protection and was marked as exportable, the other key bits were using "az keyvault secret download" and in the vault URL even though its a certifcate we are after it must use "../secrets/.." instead of "../certificates/.."
az keyvault secret download --id https://.vault.azure.net/secrets/ --file certificate.pem