failed to configure bitlocker as expected. Exception: Invalid provider type specified.
Category: azure disk encryption
Question
Christian Küver on Mon, 05 Dec 2016 14:53:14
Hi all,
i try to configure azure disk encryption with key encryption key as described here:
http://derekmartinorg.azurewebsites.net/easily-encrypt-your-azure-vms-with-keyvault/
and here:
https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/01/04/easily-encrypt-your-azure-vms-with-keyvault/
as described in both articles i always get failed to configure bitlocker as expected. Exception: Invalid provider type specified, meaningless how i created the certificate.
i tried:
- new-selfsignedcertificate
- self signed certificate via IIS
- makecert
Can anyone who get this to work successfully please describe how to exactly create the certificate. I can't find any detailed information from Microsoft.
Thanks.
regards,
ckuever
Replies
Vivek Bansod on Wed, 08 Aug 2018 06:33:24
Hi,
Can you try below PS script? First is to create cert and service principle and 2nd is to upload it to key vault.
Let us know if it helps
#Script for Service Principal $name = 'testcert' $applicationName = 'testapp' $ResourceGroup = "" $applicationId = '' #1. Sign in to your account Write-Output "BEGIN STEP 1" $account = Login-AzureRmAccount Import-Module AzureRM.Resources if($account -eq $null) { throw "you must sign in to continue running this script" } $SubscriptionId = "" $SubscriptionName = "" Get-AzureRmSubscription -SubscriptionId $subscriptionId | Select-AzureRmSubscription if ($SubscriptionId -eq "") { $SubscriptionId = (Get-AzureRmContext).Subscription.Id } else { Set-AzureRmContext -SubscriptionId $SubscriptionId } #2.Create Self-signed Certificate Write-Output "BEGIN STEP 2" $thumbprint = (New-SelfSignedCertificate -DnsName "$name" -CertStoreLocation Cert:\CurrentUser\My -KeySpec KeyExchange).Thumbprint $cert = (Get-ChildItem -Path Cert:\CurrentUser\My\$thumbprint) mkdir "C:\${name}\${name}" Export-Certificate -Cert $cert -FilePath "C:\${name}\${name}.cer" -Type CERT $password = Read-Host -Prompt "Enter a password for the new .pfx certificate:" -AsSecureString if($password -eq $null) { throw "You must enter a password so the .pfx can be created " } Export-PfxCertificate -Cert $cert -FilePath "C:\${name}\${name}.pfx" -Password $password #3. Create an X509Certificate object from your certificate and retrive the key value Write-Output "BEGIN STEP 3" $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\${name}\${name}.pfx", $password) $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) $keyValue $cert #4. Create an application in the directory with key values. Write-Output "BEGIN STEP 4" $azureApplication = Get-AzureRmADApplication -DisplayName "${applicationName}" #New-AzureRmADApplication -DisplayName "${applicationName}" -HomePage "https://${applicationName}" -IdentifierUris "https://${applicationName}" -CertValue $keyValue $azureApplication.ApplicationId #5. Create ServicePrincipal Write-Output "BEGIN STEP 5" $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $azureApplication.ApplicationId Get-AzureRmADServicePrincipal -ObjectId $ServicePrincipal.Id #6 Assign role to application Write-Output "BEGIN STEP 6" #New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $azureApplication.ApplicationId $NewRole = $null $Retries = 0; While ($NewRole -eq $null -and $Retries -le 6) { # Sleep here for a few seconds to allow the service principal application to become active (should only take a couple of seconds normally) Sleep 15 New-AzureRMRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $ServicePrincipal.ApplicationId $NewRole = Get-AzureRMRoleAssignment -ServicePrincipalName $ServicePrincipal.ApplicationId -ErrorAction SilentlyContinue $Retries++; } $tenantId = $account.Context.Subscription.TenantId Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -CertificateThumbprint $thumbprint -ApplicationId $azureApplication.ApplicationId
$SubscriptionId = "" $SubscriptionName = "" $rgName = "testrg" $vaultName = "TestVault" $location = "" $certificateName = "testcert" $pfxFilePath = "C:\$certificateName\$certificateName.pfx" $password = "test1" $account = Login-AzureRmAccount Import-Module AzureRM.Resources if($account -eq $null) { throw "you must sign in to continue running this script" } Get-AzureRmSubscription -SubscriptionId $subscriptionId | Select-AzureRmSubscription if ($SubscriptionId -eq "") { $SubscriptionId = (Get-AzureRmContext).Subscription.Id } else { Set-AzureRmContext -SubscriptionId $SubscriptionId } New-AzureRmResourceGroup -ResourceGroupName $rgName -Location $location -Force New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgName -Location $location -EnabledForDeployment Invoke-AddCertToKeyVault -SubscriptionId $SubscriptionId -ResourceGroupName $rgName -Location $location -VaultName $vaultName -CertificateName $certificateName -Password $password -UseExistingCertificate -ExistingPfxFilePath $pfxFilePath Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -EnabledForDeployment -EnabledForTemplateDeployment $securepfxpwd = ConvertTo-SecureString –String 'test1' –AsPlainText –Force # Password for the private key PFX certificate $certificateName = 'testcert' $vaultName = 'TestVault' $cer = Import-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -FilePath 'C:\My-Cert.pfx' -Password $securepfxpwd