public async Task <string[]> GetCertificateThumbprintsAsync(CancellationToken cancellationToken) { var thumbprints = new List <string>(); await foreach (var cert in _certificateClient.GetPropertiesOfCertificateVersionsAsync(_certificateName, cancellationToken)) { thumbprints.Add(ThumbprintHelper.Convert(cert.X509Thumbprint)); } return(thumbprints.ToArray()); }
/// <inheritdoc/> public async Task <string> GetCertificateAsync(string vaultUri, string secretId) { CertificateClient certificateClient = new CertificateClient(new Uri(vaultUri), new DefaultAzureCredential()); AsyncPageable <CertificateProperties> certificatePropertiesPage = certificateClient.GetPropertiesOfCertificateVersionsAsync(secretId); await foreach (CertificateProperties certificateProperties in certificatePropertiesPage) { if (certificateProperties.Enabled == true && (certificateProperties.ExpiresOn == null || certificateProperties.ExpiresOn >= DateTime.UtcNow)) { SecretClient secretClient = new SecretClient(new Uri(vaultUri), new DefaultAzureCredential()); KeyVaultSecret secret = await secretClient.GetSecretAsync(certificateProperties.Name, certificateProperties.Version); return(secret.Value); } } return(null); }
public async Task GetCertificatesAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a certificate client that will be used to call the service. Notice that the client is using default Azure // credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create two self-signed certificates using the default policy string certName1 = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp1 = await client.StartCreateCertificateAsync(certName1, CertificatePolicy.Default); string certName2 = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp2 = await client.StartCreateCertificateAsync(certName1, CertificatePolicy.Default); // Next, let's wait on the certificate operation to complete. Note that certificate creation can last an indeterministic // amount of time, so applications should only wait on the operation to complete in the case the issuance time is well // known and within the scope of the application lifetime. In this case we are creating a self-signed certificate which // should be issued in a relatively short amount of time. await certOp1.WaitForCompletionAsync(); await certOp2.WaitForCompletionAsync(); // Let's list the certificates which exist in the vault along with their thumbprints await foreach (CertificateProperties cert in client.GetPropertiesOfCertificatesAsync()) { Debug.WriteLine($"Certificate is returned with name {cert.Name} and thumbprint {BitConverter.ToString(cert.X509Thumbprint)}"); } // We need to create a new version of a certificate. Creating a certificate with the same name will create another version of the certificate CertificateOperation newCertOp = await client.StartCreateCertificateAsync(certName1, CertificatePolicy.Default); await newCertOp.WaitForCompletionAsync(); // Let's print all the versions of this certificate await foreach (CertificateProperties cert in client.GetPropertiesOfCertificateVersionsAsync(certName1)) { Debug.WriteLine($"Certificate {cert.Name} with name {cert.Version}"); } // The certificates are no longer needed. // You need to delete them from the Key Vault. DeleteCertificateOperation operation1 = await client.StartDeleteCertificateAsync(certName1); DeleteCertificateOperation operation2 = await client.StartDeleteCertificateAsync(certName2); // To ensure certificates are deleted on server side. Task.WaitAll( operation1.WaitForCompletionAsync().AsTask(), operation2.WaitForCompletionAsync().AsTask()); // You can list all the deleted and non-purged certificates, assuming Key Vault is soft-delete enabled. await foreach (DeletedCertificate deletedCert in client.GetDeletedCertificatesAsync()) { Debug.WriteLine($"Deleted certificate's recovery Id {deletedCert.RecoveryId}"); } // If the keyvault is soft-delete enabled, then for permanent deletion, deleted keys needs to be purged. Task.WaitAll( client.PurgeDeletedCertificateAsync(certName1), client.PurgeDeletedCertificateAsync(certName2)); }
private async Task <TrackKeyExternal> LoadTrackKeyExternalFromKeyVaultAsync(Track track) { var now = DateTimeOffset.UtcNow; var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); var externalKeys = new List <(string Id, DateTimeOffset?NotBefore)>(); var certificateVersions = certificateClient.GetPropertiesOfCertificateVersionsAsync(track.Key.ExternalName); await foreach (var certificateVersion in certificateVersions) { if (certificateVersion.Enabled == true && certificateVersion.ExpiresOn >= now) { externalKeys.Add((certificateVersion.Version, certificateVersion.NotBefore)); } } if (externalKeys.Count <= 0) { throw new Exception($"Track key external certificate '{track.Key.ExternalName}' do not exist in Key Vault."); } var trackKeyExternal = new TrackKeyExternal(); if (externalKeys.Count == 1) { trackKeyExternal.Keys = new List <TrackKeyExternalItem> { new TrackKeyExternalItem { ExternalId = externalKeys.First().Id } }; } else { var topTwoExternalKeys = externalKeys.OrderByDescending(e => e.NotBefore).Take(2); var firstExternalKey = topTwoExternalKeys.First(); if (firstExternalKey.NotBefore <= now.AddDays(-track.KeyExternalPrimaryAfterDays)) { trackKeyExternal.Keys = new List <TrackKeyExternalItem> { new TrackKeyExternalItem { ExternalId = firstExternalKey.Id }, new TrackKeyExternalItem { ExternalId = topTwoExternalKeys.Last().Id } }; } else { trackKeyExternal.Keys = new List <TrackKeyExternalItem> { new TrackKeyExternalItem { ExternalId = topTwoExternalKeys.Last().Id }, new TrackKeyExternalItem { ExternalId = firstExternalKey.Id } }; } } foreach (var keyItem in trackKeyExternal.Keys) { var certificateWithPolicy = certificateClient.GetCertificateVersion(track.Key.ExternalName, keyItem.ExternalId); var certificateRawValue = certificateWithPolicy?.Value?.Cer; if (certificateRawValue == null) { throw new Exception($"Track key external certificate '{track.Key.ExternalName}' version '{keyItem.ExternalId}' from Key Vault is null."); } keyItem.Key = await new X509Certificate2(certificateRawValue).ToFTJsonWebKeyAsync(); } return(trackKeyExternal); }