private async Task GetCertificateFromKeyVault() { try { string clientId = KeyVaultOptions.Value.ClientId; string clientSecret = KeyVaultOptions.Value.ClientSecret; string tenantId = KeyVaultOptions.Value.TenantId; Uri keyVaultUrl = KeyVaultOptions.Value.KeyVaultUrl; string keyName = KeyVaultOptions.Value.KeyName; ClientSecretCredential credential = new ClientSecretCredential(tenantId, clientId, clientSecret); SecretClient secretClient = new SecretClient(keyVaultUrl, credential); CertificateClient certificateClient = new CertificateClient(keyVaultUrl, credential); KeyVaultSecret keyVaultCertificatePfx = await secretClient.GetSecretAsync(keyName).ConfigureAwait(false); KeyVaultCertificate keyVaultCertificateCer = await certificateClient.GetCertificateAsync(keyName).ConfigureAwait(false); DecryptionCertificate = keyVaultCertificatePfx.Value; this.EncryptionCertificate = Convert.ToBase64String(keyVaultCertificateCer.Cer); this.EncryptionCertificateId = keyVaultCertificatePfx.Properties.Version; } catch (Exception ex) { Console.WriteLine(ex); } }
public async Task VerifyCertificateGetWithPolicyInProgress() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown; await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); KeyVaultCertificateWithPolicy certificateWithPolicy = await Client.GetCertificateAsync(certName); Assert.NotNull(certificateWithPolicy); Assert.AreEqual(certificateWithPolicy.Name, certName); Assert.NotNull(certificateWithPolicy.Properties.Version); KeyVaultCertificate certificate = await Client.GetCertificateVersionAsync(certName, certificateWithPolicy.Properties.Version); Assert.NotNull(certificate); Assert.AreEqual(certificate.Name, certName); }
protected override void ProcessRecord() { CertificateBundle certBundle; switch (ParameterSetName) { case ByCertificateNameParameterSet: certBundle = this.DataServiceClient.GetCertificate(VaultName, Name, Version ?? string.Empty); var certificate = KeyVaultCertificate.FromCertificateBundle(certBundle); this.WriteObject(certificate); break; case ByCertificateVersionsParameterSet: certBundle = this.DataServiceClient.GetCertificate(VaultName, Name, string.Empty); if (certBundle != null) { WriteObject(new CertificateIdentityItem(certBundle)); GetAndWriteCertificatesVersions(VaultName, Name, certBundle.CertificateIdentifier.Version); } break; case ByVaultNameParameterSet: GetAndWriteCertificates(VaultName); break; default: throw new ArgumentException(KeyVaultProperties.Resources.BadParameterSetName); } }
public async Task VerifyUpdateCertificate() { string certName = Recording.GenerateId(); CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, DefaultPolicy); RegisterForCleanup(certName); KeyVaultCertificateWithPolicy original = await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); CertificateProperties originalProperties = original.Properties; Assert.IsTrue(originalProperties.Enabled); Assert.IsEmpty(originalProperties.Tags); IDictionary <string, string> expTags = new Dictionary <string, string>() { { "key1", "value1" } }; originalProperties.Tags.Add("key1", "value1"); KeyVaultCertificate updated = await Client.UpdateCertificatePropertiesAsync(originalProperties); Assert.IsTrue(updated.Properties.Enabled); CollectionAssert.AreEqual(expTags, updated.Properties.Tags); originalProperties.Enabled = false; originalProperties.Tags.Clear(); updated = await Client.UpdateCertificatePropertiesAsync(originalProperties); Assert.IsFalse(updated.Properties.Enabled); CollectionAssert.AreEqual(expTags, updated.Properties.Tags); }
public async Task DownloadVersionedCertificate(string contentType) { string name = Recording.GenerateId(); CertificatePolicy policy = new CertificatePolicy { IssuerName = WellKnownIssuerNames.Self, Subject = "CN=default", KeyType = CertificateKeyType.Rsa, Exportable = true, ReuseKey = false, KeyUsage = { CertificateKeyUsage.DataEncipherment, }, CertificateTransparency = false, ContentType = contentType, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy); RegisterForCleanup(name); await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); KeyVaultCertificate certificate = await Client.GetCertificateAsync(name); string version = certificate.Properties.Version; using X509Certificate2 pub = new X509Certificate2(certificate.Cer); #if NET6_0_OR_GREATER using RSA pubkey = (RSA)pub.PublicKey.GetRSAPublicKey(); #else using RSA pubkey = (RSA)pub.PublicKey.Key; #endif byte[] plaintext = Encoding.UTF8.GetBytes("Hello, world!"); byte[] ciphertext = pubkey.Encrypt(plaintext, RSAEncryptionPadding.Pkcs1); // Create a new certificate version that is not exportable just to further prove we are not downloading it. policy.Exportable = false; operation = await Client.StartCreateCertificateAsync(name, policy); await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); certificate = await Client.GetCertificateAsync(name); Assert.AreNotEqual(version, certificate.Properties.Version); // Now download the certificate and test decryption. using X509Certificate2 x509certificate = await Client.DownloadCertificateAsync(name, version); Assert.IsTrue(x509certificate.HasPrivateKey); using RSA rsa = (RSA)x509certificate.GetRSAPrivateKey(); byte[] decrypted = rsa.Decrypt(ciphertext, RSAEncryptionPadding.Pkcs1); CollectionAssert.AreEqual(plaintext, decrypted); }
public void HelloWorldSync(string keyVaultUrl) { #region Snippet:CertificatesSample1CertificateClient var client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:CertificatesSample1CreateCertificate string certName = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp = client.StartCreateCertificate(certName, CertificatePolicy.Default); while (!certOp.HasCompleted) { certOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } #endregion #region Snippet:CertificatesSample1GetCertificateWithPolicy KeyVaultCertificateWithPolicy certificate = client.GetCertificate(certName); Debug.WriteLine($"Certificate was returned with name {certificate.Name} which expires {certificate.Properties.ExpiresOn}"); #endregion #region Snippet:CertificatesSample1UpdateCertificate CertificateProperties certificateProperties = certificate.Properties; certificateProperties.Enabled = false; KeyVaultCertificate updatedCert = client.UpdateCertificateProperties(certificateProperties); Debug.WriteLine($"Certificate enabled set to '{updatedCert.Properties.Enabled}'"); #endregion #region Snippet:CertificatesSample1CreateCertificateWithNewVersion CertificateOperation newCertOp = client.StartCreateCertificate(certificate.Name, certificate.Policy); while (!newCertOp.HasCompleted) { newCertOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } #endregion #region Snippet:CertificatesSample1DeleteCertificate DeleteCertificateOperation operation = client.StartDeleteCertificate(certName); // To ensure certificate is deleted on server side. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } #endregion // If the keyvault is soft-delete enabled, then for permanent deletion, the deleted certificate needs to be purged. client.PurgeDeletedCertificate(certName); }
protected override void ProcessRecord() { if (ShouldProcess(Name, Properties.Resources.ImportCertificate)) { List <CertificateBundle> certBundleList = new List <CertificateBundle>(); CertificateBundle certBundle = null; switch (ParameterSetName) { case ImportCertificateFromFileParameterSet: certBundle = this.DataServiceClient.MergeCertificate( VaultName, Name, LoadCertificateFromFile(), Tag == null ? null : Tag.ConvertToDictionary()); break; case ImportWithPrivateKeyFromFileParameterSet: X509Certificate2Collection userProvidedCertColl = InitializeCertificateCollection(); X509Certificate2Collection certColl = new X509Certificate2Collection(); byte[] base64Bytes; if (Password == null) { base64Bytes = userProvidedCertColl.Export(X509ContentType.Pfx); } else { base64Bytes = userProvidedCertColl.Export(X509ContentType.Pfx, Password.ConvertToString()); } string base64CertCollection = Convert.ToBase64String(base64Bytes); certBundle = this.DataServiceClient.ImportCertificate(VaultName, Name, base64CertCollection, Password, Tag == null ? null : Tag.ConvertToDictionary()); break; case ImportWithPrivateKeyFromCollectionParameterSet: certBundle = this.DataServiceClient.ImportCertificate(VaultName, Name, CertificateCollection, Tag == null ? null : Tag.ConvertToDictionary()); break; case ImportWithPrivateKeyFromStringParameterSet: certBundle = this.DataServiceClient.ImportCertificate(VaultName, Name, CertificateString, Password, Tag == null ? null : Tag.ConvertToDictionary()); break; default: throw new ArgumentException(KeyVaultProperties.Resources.BadParameterSetName); } var certificate = KeyVaultCertificate.FromCertificateBundle(certBundle); this.WriteObject(certificate); } }
public void RetrieveCertificate() { #region Snippet:RetrieveCertificate KeyVaultCertificateWithPolicy certificateWithPolicy = client.GetCertificate("MyCertificate"); #endregion #region Snippet:GetCertificate KeyVaultCertificate certificate = client.GetCertificateVersion(certificateWithPolicy.Name, certificateWithPolicy.Properties.Version); #endregion }
public void UpdateCertificate() { KeyVaultCertificateWithPolicy certificate = client.GetCertificate("MyCertificate"); #region Snippet:UpdateCertificate CertificateProperties certificateProperties = new CertificateProperties(certificate.Id); certificateProperties.Tags["key1"] = "value1"; KeyVaultCertificate updated = client.UpdateCertificateProperties(certificateProperties); #endregion }
// // execute GetCertificate // public string Execute(string certificateIdentifierUrl, string filePath = null, string identity = null) { (Uri keyVaultUri, string certificateName, string certificateVersion) = ValidateAndParseCertificateURL(certificateIdentifierUrl); var MIcredential = new ManagedIdentityCredential(identity); var certificateClient = new CertificateClient(keyVaultUri, MIcredential); // Retrieve a certificate (certificate = certificate and private key bundle in Azure terminology) // PEM (Privacy Enhanced Mail) or PFX (Personal Information Exchange; PKCS#12 archive file format) formats // depends on what content type you set in Azure Key Vault at respective certificate. // Both formats usually contain a certificate (possibly with its assorted set of CA certificates) and the corresponding private key // Download CER format (X.509 certificate) // single certificate, alone and without any wrapping (no private key, no password protection, just the certificate) // not supported try { // certificate (and key) is stored as a secret at the end in Azure string secretIdentifierUrl; if (String.IsNullOrEmpty(certificateVersion)) { // certificate has no specific version: // https://my-key-vault.vault.azure.net/certificates/readThisCertificate KeyVaultCertificateWithPolicy certificateWithPolicy = certificateClient.GetCertificate(certificateName); secretIdentifierUrl = certificateWithPolicy.SecretId.ToString(); } else { // certificate has specific version: // https://my-key-vault.vault.azure.net/certificates/readThisCertificate/103a7355c6094bc78307b2db7b85b3c2 KeyVaultCertificate certificate = certificateClient.GetCertificateVersion(certificateName, certificateVersion); secretIdentifierUrl = certificate.SecretId.ToString(); } // filePath: null means get secret into variable only // otherwise secret may be unintentionally saved to file by GetSecret() method string secret = new GetSecret().Execute(secretIdentifierUrl, filePath: null, identity); if (String.IsNullOrEmpty(filePath)) { // print to stdout return(secret); } else { // creates or overwrites file and saves secret into it File.WriteAllText(filePath, secret); return("Saved"); } } catch (Exception ex) { throw AzmiException.IDCheck(identity, ex); } }
/// <summary> /// Initializes a new instance of the type /// </summary> /// <param name="certificate">The key vault certificate</param> /// <param name="httpStatus">The http status code returned</param> /// <param name="elapsedMilliseconds">The number of milliseconds that elapsed executing the query</param> internal KeyVaultCertificateResponse(KeyVaultCertificate certificate, int httpStatus, long elapsedMilliseconds) : base(httpStatus, elapsedMilliseconds) { Id = certificate.Id; Name = certificate.Name; Version = certificate.Properties.Version; Properties = certificate.Properties; Value = certificate.Cer; SecretId = certificate.SecretId; KeyId = certificate.KeyId; Policy = null; }
public async Task RetrieveCertificateAsync() { #region Snippet:RetrieveCertificate KeyVaultCertificateWithPolicy certificateWithPolicy = await client.GetCertificateAsync("MyCertificate"); #endregion #region Snippet:GetCertificate KeyVaultCertificate certificate = await client.GetCertificateVersionAsync(certificateWithPolicy.Name, certificateWithPolicy.Properties.Version); #endregion }
public async Task HelloWorldAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; // Instantiate a certificate client that will be used to call the service. Notice that the client is using // default Azure credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a self-signed certificate using the default policy. If the certificate // already exists in the Key Vault, then a new version of the key is created. string certName = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp = await client.StartCreateCertificateAsync(certName, CertificatePolicy.Default); // Next, let's wait on the certificate operation to complete. Note that certificate creation can last an indeterministic // amount of time, so applications should only wait on the operation to complete in the case the issuance time is well // known and within the scope of the application lifetime. In this case we are creating a self-signed certificate which // should be issued in a relatively short amount of time. KeyVaultCertificateWithPolicy certificate = await certOp.WaitForCompletionAsync(); // At some time later we could get the created certificate along with its policy from the Key Vault. certificate = await client.GetCertificateAsync(certName); Debug.WriteLine($"Certificate was returned with name {certificate.Name} which expires {certificate.Properties.ExpiresOn}"); // We find that the certificate has been compromised and we want to disable it so applications will no longer be able // to access the compromised version of the certificate. CertificateProperties certificateProperties = certificate.Properties; certificateProperties.Enabled = false; KeyVaultCertificate updatedCert = await client.UpdateCertificatePropertiesAsync(certificateProperties); Debug.WriteLine($"Certificate enabled set to '{updatedCert.Properties.Enabled}'"); // We need to create a new version of the certificate that applications can use to replace the compromised certificate. // Creating a certificate with the same name and policy as the compromised certificate will create another version of the // certificate with similar properties to the original certificate CertificateOperation newCertOp = await client.StartCreateCertificateAsync(certificate.Name, certificate.Policy); KeyVaultCertificateWithPolicy newCert = await newCertOp.WaitForCompletionAsync(); // The certificate is no longer needed, need to delete it from the Key Vault. DeleteCertificateOperation operation = await client.StartDeleteCertificateAsync(certName); // You only need to wait for completion if you want to purge or recover the certificate. await operation.WaitForCompletionAsync(); // If the keyvault is soft-delete enabled, then for permanent deletion, the deleted key needs to be purged. await client.PurgeDeletedCertificateAsync(certName); }
internal async Task <SecurityKeyInfo> GetSecurityKeyFromCertificateAsync(KeyVaultCertificate certificateItem) { var certificateVersionBundle = await this._CertificateClient.GetCertificateAsync(certificateItem.Name); var certificatePrivateKeySecretBundle = await this._SecretClient.GetSecretAsync(certificateVersionBundle.Value.Name); var privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value.Value); var certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet); return(new SecurityKeyInfo() { Key = new X509SecurityKey(certificateWithPrivateKey), SigningAlgorithm = SecurityAlgorithms.RsaSha512 }); }
public async Task UpdateCertificateAsync() { KeyVaultCertificateWithPolicy certificate = await client.GetCertificateAsync("MyCertificate"); #region Snippet:UpdateCertificate CertificateProperties certificateProperties = new CertificateProperties(certificate.Id) { Tags = { ["key1"] = "value1" } }; KeyVaultCertificate updated = await client.UpdateCertificatePropertiesAsync(certificateProperties); #endregion }
public async Task DownloadLatestCertificate() { string name = Recording.GenerateId(); CertificatePolicy policy = new CertificatePolicy { IssuerName = WellKnownIssuerNames.Self, Subject = "CN=default", KeyType = CertificateKeyType.Rsa, Exportable = true, ReuseKey = false, KeyUsage = { CertificateKeyUsage.DataEncipherment, CertificateKeyUsage.DigitalSignature, }, CertificateTransparency = false, ContentType = CertificateContentType.Pkcs12, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy); RegisterForCleanup(name); await operation.WaitForCompletionAsync(); KeyVaultCertificate certificate = await Client.GetCertificateAsync(name); using X509Certificate2 pub = new X509Certificate2(certificate.Cer); using RSA pubkey = (RSA)pub.PublicKey.Key; byte[] plaintext = Encoding.UTF8.GetBytes("Hello, world!"); byte[] ciphertext = pubkey.Encrypt(plaintext, RSAEncryptionPadding.Pkcs1); using X509Certificate2 x509certificate = await Client.DownloadCertificateAsync(name); Assert.IsTrue(x509certificate.HasPrivateKey); using RSA rsa = (RSA)x509certificate.PrivateKey; byte[] decrypted = rsa.Decrypt(ciphertext, RSAEncryptionPadding.Pkcs1); CollectionAssert.AreEqual(plaintext, decrypted); }
public override void ExecuteCmdlet() { if (ShouldProcess(Name, Properties.Resources.SetCertificateAttributes)) { var certificateBundle = DataServiceClient.UpdateCertificate( VaultName, Name, Version ?? string.Empty, new CertificateAttributes { Enabled = Enable, }, Tag == null ? null : Tag.ConvertToDictionary()); if (PassThru) { var certificate = KeyVaultCertificate.FromCertificateBundle(certificateBundle); this.WriteObject(certificate); } } }
protected override void ProcessRecord() { CertificateBundle certBundle = null; ConfirmAction( Force.IsPresent, string.Format( CultureInfo.InvariantCulture, KeyVaultProperties.Resources.RemoveCertWarning, Name), string.Format( CultureInfo.InvariantCulture, KeyVaultProperties.Resources.RemoveCertWhatIfMessage, Name), Name, () => { certBundle = this.DataServiceClient.DeleteCertificate(VaultName, Name); }); if (PassThru.IsPresent) { var certificate = KeyVaultCertificate.FromCertificateBundle(certBundle); this.WriteObject(certificate); } }
public async Task VerifyGetCertificateCompleted() { string certName = Recording.GenerateId(); CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, DefaultPolicy); RegisterForCleanup(certName); await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); KeyVaultCertificateWithPolicy certificateWithPolicy = await Client.GetCertificateAsync(certName); Assert.NotNull(certificateWithPolicy); Assert.AreEqual(certificateWithPolicy.Name, certName); Assert.NotNull(certificateWithPolicy.Properties.Version); KeyVaultCertificate certificate = await Client.GetCertificateVersionAsync(certName, certificateWithPolicy.Properties.Version); Assert.NotNull(certificate); Assert.AreEqual(certificate.Name, certName); }
public void HelloWorldSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); // Instantiate a certificate client that will be used to call the service. Notice that the client is using // default Azure credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', // 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials. var client = new CertificateClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); // Let's create a self signed certifiate using the default policy. If the certificiate // already exists in the Key Vault, then a new version of the key is created. string certName = $"defaultCert-{Guid.NewGuid()}"; CertificateOperation certOp = client.StartCreateCertificate(certName, CertificatePolicy.Default); // Next let's wait on the certificate operation to complete. Note that certificate creation can last an indeterministic // amount of time, so applications should only wait on the operation to complete in the case the issuance time is well // known and within the scope of the application lifetime. In this case we are creating a self-signed certificate which // should be issued in a relatively short amount of time. while (!certOp.HasCompleted) { certOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } // Let's get the created certificate along with it's policy from the Key Vault. KeyVaultCertificateWithPolicy certificate = client.GetCertificate(certName); Debug.WriteLine($"Certificate was returned with name {certificate.Name} which expires {certificate.Properties.ExpiresOn}"); // We find that the certificate has been compromised and we want to disable it so applications will no longer be able // to access the compromised version of the certificate. CertificateProperties certificateProperties = certificate.Properties; certificateProperties.Enabled = false; KeyVaultCertificate updatedCert = client.UpdateCertificateProperties(certificateProperties); Debug.WriteLine($"Certificate enabled set to '{updatedCert.Properties.Enabled}'"); // We need to create a new version of the certificate that applications can use to replace the compromised certificate. // Creating a certificate with the same name and policy as the compromised certificate will create another version of the // certificate with similar properties to the original certificate CertificateOperation newCertOp = client.StartCreateCertificate(certificate.Name, certificate.Policy); while (!newCertOp.HasCompleted) { newCertOp.UpdateStatus(); Thread.Sleep(TimeSpan.FromSeconds(1)); } // The certificate is no longer needed, need to delete it from the Key Vault. client.DeleteCertificate(certName); // To ensure certificate is deleted on server side. Assert.IsTrue(WaitForDeletedCertificate(client, certName)); // If the keyvault is soft-delete enabled, then for permanent deletion, deleted certificate needs to be purged. client.PurgeDeletedCertificate(certName); }
internal async Task <SigningCredentials> GetSigningCredentialsFromCertificateAsync(KeyVaultCertificate certificateItem) { var certificateVersionSecurityKey = await GetSecurityKeyFromCertificateAsync(certificateItem); return(new SigningCredentials(certificateVersionSecurityKey.Key, SecurityAlgorithms.RsaSha512)); }
public async Task <ActionResult> Secrets() { // Via App Service reference // See https://docs.microsoft.com/bs-cyrl-ba/azure/app-service/app-service-key-vault-references // For example: // @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931) // or // @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) // if you only care about the latest version of that secret ViewBag.ViaRef = ConfigurationManager.AppSettings["secret1"]; // Via Key Vault SDK string keyVaultInstance = "https://alice.vault.azure.net"; // Retry policy // https://docs.microsoft.com/en-us/azure/key-vault/general/overview-throttling SecretClientOptions options = new SecretClientOptions() { Retry = { Delay = TimeSpan.FromSeconds(2), MaxDelay = TimeSpan.FromSeconds(16), MaxRetries = 5, Mode = RetryMode.Exponential } }; // Instantiate client with retry policy (options) SecretClient secretClient = new SecretClient(new Uri(keyVaultInstance), new DefaultAzureCredential(), options); KeyVaultSecret secret = await secretClient.GetSecretAsync("secret1"); ViewBag.ViaSDK = secret.Value; // Via configBuilder (see web.config) ViewBag.ViaBuilder = ConfigurationManager.AppSettings["secret1"]; // Manual REST API calls AzureServiceTokenProvider tokenProvider = new AzureServiceTokenProvider(); // Resource URI for Key Vault is always https://vault.azure.net, // irrespective of the name of your Key Vault string accessToken = await tokenProvider.GetAccessTokenAsync("https://vault.azure.net"); HttpClient httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}"); // Response is a JSON object, the secret value is returned as response["value"] and looks like this - // { // "value": "TH3 VALU3 0F THE S3CRE7", // "contentType": "this_property_is/completely_arbitrary", // "id": "https://<YOUR-VAULT-NAME>.vault.azure.net/secrets/<NAME-OF-YOUR-SECRET>/d96492d7b6d744a085a37c812badb3e4", // "attributes": { // "enabled": true, // "created": 1526314127, // "updated": 1526314127, // "recoveryLevel": "Purgeable" // } // } string secretOverRest = await httpClient.GetStringAsync("https://alice.vault.azure.net/secrets/secret1?api-version=7.0"); ViewBag.ViaRest = secretOverRest; // Get certificate from Key Vault CertificateClient certClient = new CertificateClient(new Uri(keyVaultInstance), new DefaultAzureCredential()); KeyVaultCertificate cert = await certClient.GetCertificateAsync("Joes-Crab-Shack-RSA"); X509Certificate2 x509cert = new X509Certificate2(cert.Cer); ViewBag.CertSubject = x509cert.Subject; ViewBag.CertId = cert.Id; ViewBag.CertName = cert.Name; return(View()); }