0

I created a self signed certificate in Azure Key Vault using the following method :

        public void CreateRootCertificate()
        {
            var certPolicy = new CertificatePolicy();
            certPolicy.Attributes = new CertificateAttributes();
            certPolicy.Attributes.NotBefore = DateTime.Now;
            certPolicy.Attributes.Expires = DateTime.Now.AddDays(1);
            certPolicy.IssuerParameters = new IssuerParameters()
            {
                Name = "Self",
            };
            certPolicy.KeyProperties = new KeyProperties(true);
            certPolicy.SecretProperties = new SecretProperties();
            certPolicy.X509CertificateProperties = new X509CertificateProperties()
            {
                Subject = "CN=testyMcTesterson",
            };
            var operation = this.client.CreateCertificateAsync(keyVaultUrl, testRootName, certPolicy);
            operation.Wait();
        }

Now after I create the self signed certificate, I'd like to sign other certificates using this one. The only caveat is, I'd like to do it without having to pull the private key out of key vault. Is this even possible? I've tried several permutations of the following method.

        public void CreateSignedCertificate()
        {
            var certPolicy = new CertificatePolicy();
            certPolicy.Attributes = new CertificateAttributes();
            certPolicy.Attributes.NotBefore = DateTime.Now;
            certPolicy.Attributes.Expires = DateTime.Now.AddDays(1);
            certPolicy.IssuerParameters = new IssuerParameters()
            {
                Name = "CN=testyMcTesterson"
            };
            certPolicy.KeyProperties = new KeyProperties(true);
            certPolicy.SecretProperties = new SecretProperties();
            certPolicy.X509CertificateProperties = new X509CertificateProperties()
            {
                Subject = "CN=testyJunior",
            };
            var operation = this.client.CreateCertificateAsync(keyVaultUrl, "testyJunior", certPolicy);
            operation.Wait();
        }

This includes setting the issuer to "testyMcTesterson" without CN=, setting it to the key vault certificate identifier and the key vault secret. I'd like to set it up so only the .cer file of the signing cert will ever leave key vault. All of these throw a 400 excpetion saying the IssuerParameters.Name property is invalid. I realize I'm more than likely missing some EKUs on both the root and the client, but the problem I'm trying to address right now is finding out if this scenario is even feasible. The documentation on the IssuerParameters class is lacking.

Eddie D
  • 1,120
  • 7
  • 16
  • Could you tell me what is " I'd like to do it without having to pull the private key out of key vault."? Is that you want to load .cert file form Azure key vault then use it to sign other certificates? – Jim Xu Oct 07 '19 at 03:02
  • I'd like to create and sign a client certificate using the key vault API without having to retrieve my signing cert from key vault. – Eddie D Oct 07 '19 at 15:34
  • Use Key vault API to create self signed cert, Use Key vault API to create client cert from self signed cert Self signed cert's private key would essentially never leave key vault – Eddie D Oct 07 '19 at 15:36
  • If you want to use Azure key vault cert to create client cert, please refer to https://stackoverflow.com/questions/51451902/azure-key-vault-certificates-does-not-have-the-private-key-when-retrieved-via-ik – Jim Xu Oct 08 '19 at 05:26
  • This explains how to create self signed certificate and howto pull the private key. – Eddie D Oct 08 '19 at 19:05
  • If you want to export the cert without private key, you can set ```non-exportable``` in your policy. For more details, please refer to https://learn.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#exportable-or-non-exportable-key. – Jim Xu Oct 09 '19 at 09:14
  • I'm not trying to export it. 1 . Use keyvault API to create a self signed cert 2. Use key vault to create a client cert using the cert from step one. I do not want the private key used for signing to leave key vault. – Eddie D Oct 09 '19 at 16:07
  • Could you tell what is "export" you said? I just want to tell you that If you set the policy, when you use the SDK to get the cert, the cert's value will not contain the private key then you can use the value to create a cert. – Jim Xu Oct 10 '19 at 02:31
  • 1
    This is possible but it's a manual procedure. You have to compute SHA256 digest of CSR information, then call the sign API from Key Vault: https://learn.microsoft.com/en-us/rest/api/keyvault/sign/sign, specifying the `RS256` algorithm. Once you get the signature, use that to assemble the final certificate. For more details, you can start at https://tools.ietf.org/html/rfc5280. However what you are asking is uncommon because your root self-signed certificate is not widely trusted. But I do see scenarios where this might be useful. – fernacolo Apr 24 '20 at 01:05

0 Answers0