Azure Key Vault - PFX Export

Category: azure key vault


valleydoofer on Tue, 15 May 2018 10:12:21

Morning All,

I am seeing some strange behaviour with a wildcard cert I have uploaded to Azure Key Vault that I'm hoping someone might be able to explain.  We have a public cert and I have been testing our web application installed on some IaaS VM's.  When I take our PFX and copy it to the IaaS VM's I can install this PFX no problem at all.  I have the same PFX uploaded to Azure Key vault.  If I download the PFX from Azure key vault and upload it to my IaaS VM I cannot install it.  I get the message that the password is incorrect.  I've re-uploaded the PFX to Azure key vault and replaced the existing cert with this new version.  If I then download it again, upload it to the IaaS VM and test I get the same password issue.  THis tend to suggest that the process of uploading the PFX into key vault modifies it in some way.

Can anyone explain this behaviour?  Is the cert being modified?  AM I missing something in terms of how my IaaS VM should be interacting with key vault to retrieve the cert and leverage it within IIS?

Many thanks in advance



valleydoofer on Tue, 15 May 2018 14:29:12

Ok, I've kind of found of the solution to this through a combination of articles.  Firstly I found the following thread:

In my case the VM's already existed but the principles remain the same.  I then used the following article to make the necessary amendments to the ARM template:

I now have a certificate deployed to my IaaS VM's.  However, the questions still remains as to why I cannot download a PFX file through the Azure Portal and manually import it onto an IIS web server.  What is happening to the PFX file in the key vault the means this is not possible?



Harun Davood on Thu, 24 May 2018 19:37:42

I am seeing this behavior as well. I uploaded my pfx to one keyvault. I then downloaded the same pfx from that keyvault and tried uploading it to different keyvault and got the error suggesting that the password is incorrect.