Question

Christian Küver on Mon, 05 Dec 2016 14:53:14


Hi all,

i try to configure azure disk encryption with key encryption key as described here:

http://derekmartinorg.azurewebsites.net/easily-encrypt-your-azure-vms-with-keyvault/

and here:

https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/01/04/easily-encrypt-your-azure-vms-with-keyvault/

as described in both articles i always get failed to configure bitlocker as expected. Exception: Invalid provider type specified, meaningless how i created the certificate.

i tried:

  • new-selfsignedcertificate
  • self signed certificate via IIS
  • makecert

Can anyone who get this to work successfully please describe how to exactly create the certificate. I can't find any detailed information from Microsoft.

Thanks.

regards,

ckuever

Replies

Vivek Bansod on Wed, 08 Aug 2018 06:33:24


Hi,

Can you try below PS script? First is to create cert and service principle and 2nd is to upload it to key vault.

Let us know if it helps

#Script for Service Principal

$name =  'testcert'
$applicationName =  'testapp'
$ResourceGroup = ""
$applicationId = ''

#1. Sign in to your account
Write-Output "BEGIN STEP 1"

$account = Login-AzureRmAccount
Import-Module AzureRM.Resources

if($account -eq $null)
{
    throw "you must sign in to continue running this script"
}

$SubscriptionId = ""
$SubscriptionName = ""

Get-AzureRmSubscription -SubscriptionId $subscriptionId | Select-AzureRmSubscription

if ($SubscriptionId -eq "") 
 {
    $SubscriptionId = (Get-AzureRmContext).Subscription.Id
 }
 else
 {
    Set-AzureRmContext -SubscriptionId $SubscriptionId
 }
 
   
#2.Create Self-signed Certificate
Write-Output "BEGIN STEP 2"

$thumbprint = (New-SelfSignedCertificate -DnsName "$name" -CertStoreLocation Cert:\CurrentUser\My -KeySpec KeyExchange).Thumbprint

$cert = (Get-ChildItem -Path Cert:\CurrentUser\My\$thumbprint)
mkdir "C:\${name}\${name}"
Export-Certificate -Cert $cert -FilePath "C:\${name}\${name}.cer" -Type CERT

$password = Read-Host -Prompt "Enter a password for the new .pfx certificate:" -AsSecureString
if($password -eq $null)
{
    throw "You must enter a password so the .pfx can be created "
}

Export-PfxCertificate -Cert $cert -FilePath "C:\${name}\${name}.pfx" -Password $password


#3. Create an X509Certificate object from your certificate and retrive the key value
Write-Output "BEGIN STEP 3"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\${name}\${name}.pfx", $password)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())

$keyValue

$cert

#4. Create an application in the directory with key values.
Write-Output "BEGIN STEP 4"

$azureApplication = Get-AzureRmADApplication -DisplayName "${applicationName}"
#New-AzureRmADApplication -DisplayName "${applicationName}" -HomePage "https://${applicationName}" -IdentifierUris "https://${applicationName}" -CertValue $keyValue

$azureApplication.ApplicationId


#5. Create ServicePrincipal
Write-Output "BEGIN STEP 5"

$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $azureApplication.ApplicationId

Get-AzureRmADServicePrincipal -ObjectId $ServicePrincipal.Id 

#6 Assign role to application
Write-Output "BEGIN STEP 6"

#New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $azureApplication.ApplicationId

$NewRole = $null
$Retries = 0;
While ($NewRole -eq $null -and $Retries -le 6)
{
   # Sleep here for a few seconds to allow the service principal application to become active (should only take a couple of seconds normally)
   Sleep 15
   New-AzureRMRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $ServicePrincipal.ApplicationId
   $NewRole = Get-AzureRMRoleAssignment -ServicePrincipalName $ServicePrincipal.ApplicationId -ErrorAction SilentlyContinue
   $Retries++;
}

$tenantId = $account.Context.Subscription.TenantId

Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -CertificateThumbprint $thumbprint -ApplicationId $azureApplication.ApplicationId

$SubscriptionId = ""
$SubscriptionName = ""

$rgName = "testrg"
$vaultName = "TestVault"
$location = ""
$certificateName = "testcert"
$pfxFilePath = "C:\$certificateName\$certificateName.pfx"
$password = "test1"

$account = Login-AzureRmAccount
Import-Module AzureRM.Resources

if($account -eq $null)
{
    throw "you must sign in to continue running this script"
}

Get-AzureRmSubscription -SubscriptionId $subscriptionId | Select-AzureRmSubscription

if ($SubscriptionId -eq "") 
 {
    $SubscriptionId = (Get-AzureRmContext).Subscription.Id
 }
 else
 {
    Set-AzureRmContext -SubscriptionId $SubscriptionId
 }

New-AzureRmResourceGroup -ResourceGroupName $rgName -Location $location -Force

New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgName -Location $location -EnabledForDeployment

Invoke-AddCertToKeyVault -SubscriptionId $SubscriptionId -ResourceGroupName $rgName -Location $location -VaultName $vaultName -CertificateName $certificateName -Password $password -UseExistingCertificate -ExistingPfxFilePath $pfxFilePath

Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -EnabledForDeployment -EnabledForTemplateDeployment

$securepfxpwd = ConvertTo-SecureString –String 'test1' –AsPlainText –Force # Password for the private key PFX certificate
$certificateName = 'testcert'
$vaultName = 'TestVault'
$cer = Import-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -FilePath 'C:\My-Cert.pfx' -Password $securepfxpwd