Azure Imported Certificate to Key Vault: Subject and SAN are Blank/Empty

Question

I'm using Terraform to deploy a new certificate, from Certbot, for the application gateway to a website, in Azure. In the past, previous replacements of the certificate with a new one have worked fine. This time I got this error from Terraform:

│ Error: keyvault.BaseClient#RecoverDeletedCertificate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="CertificateNotFound" Message="A certificate with (name/id) prod-cert-2023-03-002 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" │ │ with azurerm_key_vault_certificate.cert, │ on key-vault.tf line 135, in resource "azurerm_key_vault_certificate" "cert": │ 135: resource "azurerm_key_vault_certificate" "cert"

Turns out that certbot is now returning ECDSA certificates by default: https://community.letsencrypt.org/t/ecdsa-certificates-by-default-and-other-upcoming-changes-in-certbot-2-0/177013

So, obviously, I could specifically ask Certbot to give me an RSA cert, but it seems a good idea to upgrade to the modern system.

Azure wants the certificate imported in pkcs12:

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out certificate.pfx -certfile chain.pem

Here's my key vault in terraform:

resource "azurerm_key_vault_certificate" "cert" {
  name         = var.key_vault_newcert_name
  key_vault_id = azurerm_key_vault.vmss.id

  certificate {
    contents = filebase64("certificate.pfx")
    password = ""
  }

  certificate_policy {
    issuer_parameters {
      name = "Unknown"
    }

    key_properties {
      curve      = "P-256"
      exportable = true
      key_size   = 256
      key_type   = "EC"
      reuse_key  = true
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }
  }

}

terraform apply is successful, and, through the web portal, I find the new certificate is there, but the Subject and SANs fields are empty/blank.

If I read the .pfx file:

openssl pkcs12 -in certificate.pfx -info -nodes

The subject looks correct:

subject=/CN=correctdomain.com

What gives?

Answer 1

terraform apply is successful, and, through the web portal, I find the new certificate is there, but the Subject and SANs fields are empty/blank.

I tried the below code to import certificate from my local machine to Azure key vault and CN and SAN were visible like below:-

Make sure you add subject and subject_alternative_names in your terraform code while importing certificate like below:-

x509_certificate_properties {

subject  =  "CN=silicon.com, SAN=silicon.com"

subject_alternative_names {

dns_names  =  [

"silicon.com"

]

}

key_usage  =  [

"digitalSignature"

]

validity_in_months  =  12

}

}

Complete code:-

  

terraform {

required_providers {

azurerm  =  {

source = "hashicorp/azurerm"

version = "3.10.0"

}

}

}

  

provider  "azurerm" {

features {

key_vault {

purge_soft_delete_on_destroy  =  true

recover_soft_deleted_key_vaults  =  true

}

}

}

  

resource  "azurerm_key_vault"  "example" {

name  =  "siliconkeyvault098765"

location  =  "Australia East"

resource_group_name  =  "siliconrg98"

sku_name  =  "standard"

tenant_id  =  "<tenant-id>"

}

  

resource  "azurerm_key_vault_certificate"  "example" {

name  =  "silicon"

key_vault_id  =  azurerm_key_vault.example.id

  

certificate {

contents  =  filebase64("C:/silicon.pfx")

password  =  "siliconuser"

}

  

certificate_policy {

issuer_parameters {

name  =  "Self"

}

  

key_properties {

exportable  =  true

key_size  =  2048

key_type  =  "RSA"

reuse_key  =  false

}

  

secret_properties {

content_type  =  "application/x-pkcs12"

}

  

x509_certificate_properties {

subject  =  "CN=silicon.com, SAN=silicon.com"

subject_alternative_names {

dns_names  =  [

"silicon.com"

]

}

key_usage  =  [

"digitalSignature"

]

validity_in_months  =  12

}

}

}

Output:-

Portal CN and SAN is visible:-

I exported the certificate in my local machine in pfx with password like below:-

Go to certmgr > Certificates - Current User > Personal > certificates > Click on your imported certificate> All Tasks > Export > Select Yes Export the private key > Personal Information Exchange > In the security select and type your Password > Export the cert to desired location locally in my scenario, I exported it in C drive.

Reference:-

Terraform - How to attach SSL certificate stored in Azure KeyVault to an Application Gateway - Stack Overflow By Anusman Bal