How to convert pcks12 certificate string, which was taken from azure key vault in docker container, to pem format?

Question

I use for taking a certificate in a docker container via managed identity like described in Microsoft docs here (Example 1): https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity#example-1-use-a-user-assigned-identity-to-access-azure-key-vault

When it was a certificate in pem format output of the command:

curl https://mykeyvault.vault.azure.net/secrets/SampleSecret/?api-version=2016-10-01 -H "Authorization: Bearer $token"

Was like:

{"value":"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBkelEEzvwXiaW\nX4sPt052w/5tahn6OAy+lasH4Lq1xvU/G+z9Ra0rBs2NGhPr7smu8iAxACfr74I5\nCHENM4kvmM{too many symbols}KkrjDMmf5Om\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDMDCCAhigAw{too many symbols}4GMgUQ==\n-----END CERTIFICATE-----\n","contentType":"application/x-pem-file","id":"myid","managed":true,"attributes":{"enabled":true,"nbf":1600276258,"exp":1631812858,"created":1600276858,"updated":1600276858,"recoveryLevel":"Recoverable+Purgeable"},"kid":"https://cert_url"}

And parse it to cert.pem and private_key.pem files is easy.

But if it is pcks12 format output is just like one string:

{"value":"MIIKPAIBAzCCCfwGCSqGSIb3DQEHAaCCCe0EggnpMIIJ5TCCBhYGCSqGSIb3DQEHA{only many symbols}8O3VaP5TOUaZMQ=","contentType":"application/x-pkcs12","id":"myid","managed":true,"attributes":{"enabled":true,"nbf":1600275456,"exp":1631812056,"created":1600276056,"updated":1600276056,"recoveryLevel":"Recoverable+Purgeable"},"kid":"https://cert_url"}

So I can't convert that string to cert.pem and private_key.pem files like was explained above.

I put in file cert.cer value via:

curl https://testigorcert.vault.azure.net/secrets/SampleSecret/?api-version=2016-10-01 -H "Authorization: Bearer $token" | jq '.value' > cert.cer

And tried command like:

openssl pkcs12 -in cert.cer -out cert.pem -nodes

Error:

139876006393152:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130: 139876006393152:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=PKCS12

Tried:

openssl pkcs12 -in cert.cer -nocerts -nodes -out key.pem

Error:

140021099644224:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130: 140021099644224:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=PKCS12

Tried:

openssl x509 -in cert.cer -text

Error:

139665046693184:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

So. How can I convert this value of pkcs12 certificate format to two files cert.pem and private_key.pem?

Игорь Жаворонок Игорь Жаворонок · Accepted Answer · 2020-09-17T16:20:48

The problem was in encoding of downloaded string, because curl get a .pfx string, BUT in ascii coding (should be in base64). So I just use another way (Example 2): https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity#example-2-use-a-system-assigned-identity-to-access-azure-key-vault

Where I just download certificate .pfx via command:

az keyvault secret download --file cert.pfx --name {cert_name} --vault-name {vault_name} -e base64

And then convert to two needed files by:

openssl pkcs12 -in cert.pfx -nocerts -out key.rsa -nodes -passin pass:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt -passin pass:

How to convert pcks12 certificate string, which was taken from azure key vault in docker container, to pem format?

2 Answers