Error “The parameter keyVaultCsmId has an invalid value” while adding App Service Certificates to KeyVault

0
votes

I have generated a wildcard certificate using Azure's App Service Certificate.

After this Azure asks you to configure the certificate in a KeyVault, and this is where I am getting stuck.

I have a Keyvault which is in the same region, same subscription, same resource group.

I have the necessary permissions to the key vault. I am a User Admin, Cert officer, Secrets officer, contributor to the key vault .

This step is failing with an error

Failed to link certificate with the selected Key Vault. Check below errors for more detail.

The Activity Log under App Service Certificate shows :

Operation Name : Add or Update Certificate

Status : Failed

Summary :

Operation name : Add or Update Certificate

Time stamp : Tue Jan 19 2021 07:10:46 GMT+1100 (Australian Eastern Daylight Time)

Event initiated by: xxxx

Error code: BadRequest

Message : The parameter keyVaultCsmId has an invalid value.

The JSON has the following important information :

"authorization": {
"action": "Microsoft.CertificateRegistration/certificateOrders/certificates/write",
"scope": "/subscriptions/xxx/resourceGroups/yyyyyyy/providers/Microsoft.CertificateRegistration/certificateOrders/InternalWildCard/certificates/InternalWildCard"
}

"properties": {
"statusCode": "BadRequest",
"serviceRequestId": null,
"statusMessage": "{\"Code\":\"BadRequest\",\"Message\":\"The parameter keyVaultCsmId has an invalid value.\",\"Target\":null,\"Details\":[{\"Message\":\"The parameter keyVaultCsmId has an invalid value.\"},{\"Code\":\"BadRequest\"},{\"ErrorEntity\":{\"ExtendedCode\":\"51008\",\"MessageTemplate\":\"The parameter {0} has an invalid value.\",\"Parameters\":[\"keyVaultCsmId\"],\"Code\":\"BadRequest\",\"Message\":\"The parameter keyVaultCsmId has an invalid value.\"}}],\"Innererror\":null}",
"eventCategory": "Administrative",
"entity": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.CertificateRegistration/certificateOrders/InternalWildCard/certificates/InternalWildCard",
"message": "Microsoft.CertificateRegistration/certificateOrders/certificates/write",
"hierarchy": "xxxx"
    }

Any help on this or direction you can provide will be really appreciated :)

2
azuressl-certificateazure-keyvault

2 Answers

0
votes

In Azure Key Vault, supported certificate formats are PFX and PEM.

• .pem file format contains one or more X509 certificate files.

• .pfx file format is an archive file format for storing several cryptographic objects in a single file i.e. server certificate (issued for your domain), a matching private key, and may optionally include an intermediate CA.

Certificates used by App Service first needs to be converted to (and marked as) application/x-pkcs12. Re-importing the cert from a pfx file with the --password parameter (az keyvault certificate import), and after that import it from the key vault to the webapp might help. You may refer to this Blog might be helpful.

Also, look if Cert and the Key Vault are in their original resource group.

Additional details: https://docs.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate

https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

0
votes

Stuff which I didn't mention in the original question..

  1. The existing key vault Permission Model is using RBAC for policies which is in preview [ Azure role-based access control (preview) ].
  2. It has "Selected Networks" open and allows Trusted MS Networks..
  3. It already has another wildcard cert in it as a secret ( different name )

I temporarily switched the Key Vault Permission Model to Vault access policy, and tried linking - and it worked.

Looks like a bug with the Permission Model using Azure RBAC.