Powershell, get a certificate from local store as a string, including the private key to store in KeyVault

Question

Question: what do I need to do to get the Base64String of the entire certificate (including private key) in Powershell?

Case: On Windows, I have a certificate on my User store.

In Powershell I do the following:

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -match "cert-subject" }
$certdata = [System.Convert]::ToBase64String($cert.RawData)
$str = ConvertTo-SecureString -String $certdata -AsPlainText -Force

Now in $str I find only the Public Key - the private key part is missing.

I am trying to upload $str as a secret in Azure KeyVault using:

Set-AzureKeyVaultSecret `
    -VaultName $VaultName `
    -Name $SecretName `
    -SecretValue $certsecret `
    -ContentType 'application/x-pkcs12' `
    -Expires $cert.NotAfter `
    -NotBefore $cert.NotBefore

but the result is that this is a file that contains only the private key.

If I save the certificate manually from the local store and export the private key to a file, then use the Azure portal, I can upload the full cert pair.

Thx!

score 2 · Answer 1 · answered Jan 25 '18 at 00:51

Answer partially from How to serialize and deserialize a PFX certificate in Azure Key Vault?.

Provided that you have the Certificate and Private Key installed in your Local User certificate store and you need to authenticate to Azure with it, there are a number of steps involved.

$VaultName = 'myVaultName'
$SecretName = 'mySecretName'

$pfxFilePath = "C:\Path_to_\Exported_Key.pfx"
$pfx_password = "yourpassword"
# Password to be used for exported PKS12 file
$pfx_password_securestring = ConvertTo-SecureString -String "yourpassword" -Force -AsPlainText
# Export (exportable) private key to portable pfx
$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -match "cert-subject" }
$cert | Export-PfxCertificate -FilePath $pfxFilePath -Password $pfx_password_securestring

$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
$collection.Import($pfxFilePath, $pfx_password, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$certsecret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'

Set-AzureKeyVaultSecret `
    -VaultName $VaultName `
    -Name $SecretName `
    -SecretValue $certsecret `
    -ContentType 'application/x-pkcs12' `
    -Expires $cert.NotAfter `
    -NotBefore $cert.NotBefore

Certificate Private key in CurrentUser certificate store needs to be exportable

Ok thanks - this tells me it is not possible to retrieve it as a string (byte array) - I knew I could do this via a file, but I wanted to avoid it not to leave the certificate on the file system - thx. — MaurGi, Jan 26 '18 at 15:42

Powershell, get a certificate from local store as a string, including the private key to store in KeyVault

1 Answers1