Getting pem file uploaded in Azure Key Vault Keys

1
votes

I have uploaded a pem file to Azure Key Vault Keys via azure portal and tried below function to get the data using "azure-keyvault": "^3.0.0-preview",

client.getKey(vaultUri, keyName, keyVersion,  {maxresults : 10}, function(err, result)  {
    if (err) throw err;

    console.log(result,'-----------key-');   
})

result

{ key:
    { 
     kid: 'https://test.vault.azure.net/keys/test/1123123123lksldkf',
     kty: 'RSA',
     keyOps: [ 'sign', 'verify', 'wrapKey', 'unwrapKey', 'encrypt', 'decrypt' ],
     n: <Buffer  ... >,
     e: <Buffer > 
    },
    attributes: { enabled: true,
     created: 2016-02-09T08:48:27.000Z,
     updated: 2016-02-09T08:48:27.000Z,
     recoveryLevel: 'Purgeable'
    } 
}

How can i download the pem file from the result , any help is much appreciated. I'm pretty much new to azure vault and trying out few things with keys, secrets and certificates.

1
azureazure-keyvault

1 Answers

6
votes

You cannot download key in form of a cert file (whether is .pem or .pfx) from Azure Key Vault once the cert is uploaded to Keys store. Keys in Azure Key Vault is used purposely for signing/encrypting/decrypting operation. The return JSON is a format of JWT (Json Web Token) which only contains public part of your stored key. This basically means converting the output to form of PEM or X.509 is not possible.

Using Keys, you can back up your key but the backup is also protected inside Azure Key Vault which you have no way to retrieve or request to get the key body content. The backup is helpful in case you lose the key and want to recover it.

(might not in scope of the question but I'd love to introduce)

If you upload your certificate into Certificates store, you can only export CER contents of x509 certificate and generate a .cer file. You cannot export the entirely key including private key.

If you upload your certificate (saying a .pfx file) to Azure Key Vault in form of a secret, you can download it to your client programatically using a few of the ways below:

  • Use GetSecretAsyn()
  • Call KeyVault REST API

Both of the ways require secret identifier and access token (which Azure Active Directory gives you). You will then need to convert the return value from Base64 to the byte and write it into your client in form of .pfx file.

Below is the sample code that I used HttpClient in asynchornous mode to generate my uploaded PFX file (from Secrets store)

    public static async Task<string> GetSecret(HttpClient client)
    {
        string url = $"/secrets/cert01?api-version=2016-10-01";

        using (var httpResponse = await client.GetAsync(url))
        {
            httpResponse.EnsureSuccessStatusCode();
            string responsContent = await httpResponse.Content.ReadAsStringAsync();
            JObject jsonKv = JObject.Parse(responsContent);
            string secretBody = jsonKv["value"].ToString();
            return secretBody;
        }
    }

    public static async Task ExportPfx()
    {
        string filePath = @"test02.pfx";

        var key = await GetSecret();
        byte[] encodedText = Encoding.Unicode.GetBytes(key);
        using (FileStream sourceStream = new FileStream(filePath, FileMode.Append, FileAccess.Write, FileShare.None, bufferSize: 4096, useAsync: true))
        {
            await sourceStream.WriteAsync(encodedText, 0, encodedText.Length);
        }

    }

After the certificate is exported, go to import it to your local machine and verify if it has the same thumbprint and other specs.

Note: the exported certificate (as a secret) from Key Vault has no password even you set it when uploading to Secret store.