Access certificate thumprint from Azure DevOps variable group connected to Key vaults

1
votes

I have a VSTS library variable groups connected to my key-vaults in Azure: enter image description here

More about it you can read here: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=vsts&tabs=yaml

In key vaults in Azure I have a list of secrets and list of certificates.

Example key vault secrets:

  • AppInsightsInstrumentationKey
  • CacheConnectionString

Example certificate:

  • GlobalCertificate

Now I can access as variables in releasing these variables, by simple syntax:

  • $(GlobalCertificate)
  • $(AppInsightsInstrumentationKey)
  • $(CacheConnectionString)

My goal is to read thumprint of certificate localted in variable $(GlobalCertificate). What's the way to get it?

1
azureazure-devopscontinuous-deploymentazure-keyvault

1 Answers

3
votes

I know this is old but I found this article searching for the same thing and haven't been able to find a solution elsewhere.

I've been able to sort it out with Powershell but it's bizarre what's required considering we've already uploaded the PFX into the key vault. I also save my pfx passwords into keyvault but if you don't, substitute the variable in the $pwd line with your own value.

In the Azure DevOps Pipeline, create a Powershell task. Script is:

#Convert the Secure password that's presented as plain text back into a secure string
$pwd = ConvertTo-SecureString -String $(GlobalCertificate-Password) -Force -AsPlainText

#Create PFX file from Certificate Variable
New-Item Temp-Certificate.pfx -Value $(GlobalCertificate)

#Import the PFX certificate from the newly created file and password. Read the thumbprint into variable
$Thumbprint = (Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -FilePath Temp-Certificate.pfx -Password $pwd).Thumbprint

Write-Host $Thumbprint

#Rest of Script below or set environment variable for rest of Pipeline
Write-Host "##vso[task.setvariable variable=Thumbprint]$Thumbprint"