While working with Azure Key Vault Certificate Create Azure Key Vault Certificates on Azure Portal and Powershell, Next requirement was to download those certificates from Key Vault. On the Azure Portal choose the SSL Certificate you want to export. Click buttons Download in CER format or Download in PFX/PEM format.
PowerShell
Here I have written a PowerShell script to perfom the same task for one of my orchestration project, to either download certificate as Pfx or Cer format there are parameter with same names. Below are the example how to execute the script.
.\Export-AzKeyVaultCertificate.ps1 -Path C:\temp\certs -CertificateName vcloud-lab-Automation-Account-Ps -KeyVaultName vcloudvault -Cer .\Export-AzKeyVaultCertificate.ps1 -Path C:\temp\certs -CertificateName vcloud-lab-Automation-Account-Ps -KeyVaultName vcloudvault -PfxCertPassword '$ecret1' -Pfx
Download this script here, this script is also available on github.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 |
[CmdletBinding(SupportsShouldProcess=$True, ConfirmImpact='Medium', HelpURI='http://vcloud-lab.com', DefaultParameterSetName = 'pfx' )] <# .SYNOPSIS Export Azure key vault certificates to file. .DESCRIPTION Download/Export certificate files from Azure Key vault, it downloads certificate in cer or pfx extension format .PARAMETER Path Speciry Directory path to donwload/export Azure Key Vault certificate files. .PARAMETER CertificateName Specify Name of the Azure KeyVault Certificate. .PARAMETER KeyVaultName Specify Name of the Azure Key Vault Where certificate is stored. .PARAMETER Pfx This parameter exports certificate file in PFX extension format. .PARAMETER Cer This parameter exports certificate file in CER extenstion format. .PARAMETER PfxCertPassword If you are using PFX to export certificate, mention Password with this parameter. .INPUTS None. Export Azure key vault certificates to file. .OUTPUTS Export Azure key vault certificates to file in given path. .EXAMPLE PS> .\Export-AzKeyVaultCertificate.ps1 -Path C:\temp\certs -CertificateName vcloud-lab-Automation-Account-Ps -KeyVaultName vcloudvault -PfxCertPassword 123456 -Pfx This example to Export certificate in Pfx file format .EXAMPLE PS> .\Export-AzKeyVaultCertificate.ps1 -Path C:\temp\certs -CertificateName vcloud-lab-Automation-Account-Ps -KeyVaultName vcloudvault -Cer This example to Export certificate in Cer file format .LINK Online version: http://vcloud-lab.com http://vcloud-lab.com/entries/microsoft-azure/-create-azure-key-vault-certificates-on-azure-portal-and-powershell .LINK Export-AzKeyVaultCertificate.ps1 #> Param ( [parameter(Position=0, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, ParameterSetName = 'cer' )] [parameter(Position=0, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, ParameterSetName = 'pfx' )] [alias('Directory')] [string]$Path = 'C:\Temp\certs', [parameter(Position=1, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, ParameterSetName = 'cer' )] [parameter(Position=1, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, ParameterSetName = 'pfx' )] [alias('Certificate')] [string]$CertificateName = 'vcloud-lab-Automation-Account-Ps', [parameter(Position=1, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, ParameterSetName = 'cer' )] [parameter(Position=1, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, ParameterSetName = 'pfx' )] [string]$KeyVaultName = 'vcloudvault', [parameter(Position=2, ParameterSetName = 'pfx', Mandatory=$true)] [switch]$Pfx, [parameter(Position=3, ParameterSetName = 'pfx')] [string]$PfxCertPassword = '123456', [parameter(Position=2, ParameterSetName = 'cer', Mandatory=$true)] [switch]$Cer ) #Param begin { $testFolderPath = Test-Path $Path if ($testFolderPath -eq $false) { New-Item -Path $Path -ItemType Directory -Force | Out-Null } #Verify Azure Key Vault and Certificate $azKeyVault = Get-AzKeyVault -VaultName $KeyVaultName try { $azKeyVaultSecret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $CertificateName -ErrorAction Stop } catch { Write-Host "Error - Check KeyVault '$KeyVaultName' or Certificate '$CertificateName' doesnt Exist" -BackgroundColor DarkRed Break } } #begin process { #Prepare to export Azure Key Vault certificate to local file if (($null -eq $azKeyVault) -or ($null -eq $azKeyVaultSecret)) { Write-Host "Error - Check KeyVault '$KeyVaultName' or Certificate '$CertificateName' doesnt Exist" -BackgroundColor DarkRed Break } #if (($null -eq $azKeyVault) -or ($null -eq $azKeyVaultSecret)) else { Write-Host "Verified - Key Vault and Certificate exists - '$KeyVaultName' and '$CertificateName'" -BackgroundColor DarkGreen #Put KeyVault Certificate information in memory to export [PSCredential]$password = New-Object System.Management.Automation.PSCredential('vcloud-lab.com',$azKeyVaultSecret.SecretValue) $cert64TextString = [System.Convert]::FromBase64String($password.GetNetworkCredential().password) $x509CertCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $x509CertCollection.Import($cert64TextString, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) if ($PSCmdlet.ParameterSetName -eq 'cer') { #Export Azure Key Vault certificate to .cer file $azKeyVaultCert = Get-AzKeyVaultCertificate -VaultName $keyVaultName -Name $CertificateName $azKeyVaultCertBytes = $azKeyVaultCert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) $cerCertFile = "$certFolderPath\$CertificateName.cer" [System.IO.File]::WriteAllBytes($cerCertFile, $azKeyVaultCertBytes) Write-Host "Exported certificate to file - $certFolderPath\$CertificateName.cer" } elseif ($PSCmdlet.ParameterSetName -eq 'pfx') { #Export Azure Key Vault certificate to .pfx file $x509CertCollectionBytes = $x509CertCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $PfxCertPassword) $pfxCertFile = "$certFolderPath\$CertificateName.pfx" [System.IO.File]::WriteAllBytes($pfxCertFile, $x509CertCollectionBytes) Write-Host "Exported certificate to file - $certFolderPath\$CertificateName.cer" } } #else if (($null -eq $azKeyVault) -or ($null -eq $azKeyVaultSecret)) } #process end {} #end |
AzureCLI
Although I have written complete Powershell Script but I found using AzureCLI even easier to download Pfx or Cer certificates. It can be done using one liner, There are more parmeters given on the official MicroSoft website, worth checking and might be helpful to you - https://docs.microsoft.com/en-us/azure/key-vault/certificates/how-to-export-certificate?tabs=azure-cli.
az keyvault certificate download --file C:\temp\certificatename.cer --encoding DER --Name certificatename --vault-name keyvaultname az keyvault secret download --file C:\temp\certificatename.pfx --encoding base64 --Name certificatename --vault-name keyvaultname
Useful Commands
Create key vault and secrets with access policies in Microsoft Azure
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Use Key Vault secret identifier url to get the secret value using Powershell
Use a Azure VM system assigned managed identity to access Azure Key Vault
Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI
Get started and configure with certificate-based authentication in Azure
Create a Virtual machine on Microsoft Azure
PowerShell List All Azure Resverations
Powershell get the list of Azure Reservations Virtual Machines instances
Get the list Azure Reservation Catalog with PowerShell and AzureCLI