public async Task <CertificateOperation> CreateCsrAsync(string vaultName, string certificateName, string displayName) { var policy = new CertificatePolicy() { X509CertificateProperties = new X509CertificateProperties { Subject = $"CN={displayName}" }, KeyProperties = new KeyProperties { KeySize = 2048, KeyType = "RSA-HSM" }, IssuerParameters = new IssuerParameters { Name = "Unknown" // External CA } }; var vault = await GetVaultAsync(vaultName).ConfigureAwait(false); var op = await kvClient.CreateCertificateAsync(vault.VaultUri, certificateName, policy).ConfigureAwait(false); return(op); }
// NOTE - this would be the preferred way to create the certificate in Azure Key Vault, as the certificate's private key never leaves // the service. However, it does not currently support specifying that we want to create a CA certificate using the certificate basic constraints. // This code is left here for reference. // // ReSharper disable once UnusedMember.Local private async Task <X509Certificate2> CreateCertificateInKeyVaultAsync(KeyVaultClient client) { var certificateOperation = await client.CreateCertificateAsync( _vaultBaseUrl, _certificateName, new CertificatePolicy( keyProperties : new KeyProperties(false, "RSA", 2048, false), x509CertificateProperties : new X509CertificateProperties( "CN=" + RootSubjectName, keyUsage : new List <string> { X509KeyUsageFlags.KeyCertSign.ToString() }, ekus : new List <string> { "1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1" }), issuerParameters : new IssuerParameters("Self"))); while (certificateOperation.Status == "inProgress") { Console.WriteLine($"Creation of certificate '{_certificateName}' is in progress"); await Task.Delay(1000); certificateOperation = await client.GetCertificateOperationAsync(_vaultBaseUrl, _certificateName); } Console.WriteLine($"Creation of certificate '{_certificateName}' is in status '{certificateOperation.Status}'"); var certificate = await client.GetCertificateAsync(_vaultBaseUrl, _certificateName); return(new X509Certificate2(certificate.Cer)); }
public async Task <CertificateOperation> CreateCertificateAsync( string certificateName, string certificateCN, IDictionary <string, string> tags = null, CancellationToken cancellationToken = default ) { try { tags ??= new Dictionary <string, string>(); Log.Information($"Adding certificate to Azure KeyVault: {certificateName} ..."); // ToDo: Add support of PEM certificate creation: CertificateContentType.Pem var contentType = CertificateContentType.Pfx; var certificatePolicy = new CertificatePolicy { KeyProperties = new KeyProperties { Exportable = true, KeyType = "RSA", KeySize = 2048, ReuseKey = false }, SecretProperties = new SecretProperties { ContentType = contentType }, X509CertificateProperties = new X509CertificateProperties { Subject = $"CN={certificateCN}", SubjectAlternativeNames = new SubjectAlternativeNames { DnsNames = new string[] { certificateCN } } }, IssuerParameters = new IssuerParameters { Name = "Self" } }; certificatePolicy.Validate(); var certificateAttributes = new CertificateAttributes(); var certificateOperation = await _keyVaultClient .CreateCertificateAsync( _keyVault.Properties.VaultUri, certificateName, certificatePolicy, certificateAttributes, tags, cancellationToken ); Log.Information($"Added certificate to Azure KeyVault: {certificateName}"); return(certificateOperation); } catch (Exception ex) { Log.Error(ex, $"Failed to add certificate to Azure KeyVault: {certificateName}"); throw; } }
/// <summary> /// Creates a certificate /// </summary> /// <param name="certificateName"> the name of the created certificate </param> /// <returns> The created certificate </returns> private static CertificateOperation CreateCertificate(out string certificateName) { var vaultAddress = inputValidator.GetVaultAddress(); certificateName = inputValidator.GetCertificateName(); // Create a self-signed certificate backed by a 2048 bit RSA key var policy = new CertificatePolicy { IssuerReference = new IssuerReference { Name = "Self", }, KeyProperties = new KeyProperties { Exportable = true, KeySize = 2048, KeyType = "RSA" }, SecretProperties = new SecretProperties { ContentType = "application/x-pkcs12" }, X509CertificateProperties = new X509CertificateProperties { Subject = "CN=KEYVAULTDEMO" } }; var tags = inputValidator.GetTags(); var certificateOperation = keyVaultClient.CreateCertificateAsync(vaultAddress, certificateName, policy, new CertificateAttributes { Enabled = true }, tags).GetAwaiter().GetResult(); Console.Out.WriteLine("Created certificate:---------------"); PrintoutCertificateOperation(certificateOperation); return(certificateOperation); }
/// <summary> /// Creates a certificate /// </summary> /// <param name="certificateName"> the name of the created certificate </param> /// <returns> The created certificate </returns> private static CertificateBundle CreateCertificate(out string certificateName) { var vaultAddress = inputValidator.GetVaultAddress(); certificateName = inputValidator.GetCertificateName(); // Create a self-signed certificate backed by a 2048 bit RSA key var policy = new CertificatePolicy { IssuerReference = new IssuerReference { Name = "Self", }, KeyProperties = new KeyProperties { Exportable = true, KeySize = 2048, KeyType = "RSA" }, SecretProperties = new SecretProperties { ContentType = "application/x-pem-file" //ContentType = "application/x-pkcs12" }, X509CertificateProperties = new X509CertificateProperties { Subject = "CN=KEYVAULTDEMO" } }; var tags = inputValidator.GetTags(); var name = certificateName; var pendingCertificate = Task.Run(() => keyVaultClient.CreateCertificateAsync(vaultAddress, name, policy, new CertificateAttributes { Enabled = true }, tags)).ConfigureAwait(false).GetAwaiter().GetResult(); // Certificate request is created. // Poll for certificate creation status until pending is complete. var pendingPollCount = 0; while (pendingPollCount < 11) { var pendingCertificateResponse = Task.Run(() => keyVaultClient.GetCertificateOperationAsync(vaultAddress, pendingCertificate.CertificateOperationIdentifier.Name)) .ConfigureAwait(false).GetAwaiter().GetResult(); PrintoutCertificateOperation(pendingCertificateResponse); if (0 == string.Compare(pendingCertificateResponse.Status, "InProgress", true)) { Console.Out.WriteLine("Waiting on the long running operation to complete creating the certificate..."); Thread.Sleep(TimeSpan.FromSeconds(5)); pendingPollCount++; continue; } if (0 == string.Compare(pendingCertificateResponse.Status, "Completed", true)) { var certBundle = Task.Run(() => keyVaultClient.GetCertificateAsync(pendingCertificateResponse.Target)).ConfigureAwait(false).GetAwaiter().GetResult(); Console.Out.WriteLine("Created certificate:---------------"); PrintoutCertificate(certBundle); return(certBundle); } throw new Exception(string.Format( "Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}", pendingCertificate.Error.Code, pendingCertificate.Error.Message)); } throw new Exception(string.Format("Pending certificate processing delayed")); }
private async Task CertificatesMigrationGuide() { #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); KeyVaultClient client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback)); #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { //@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider(); /*@@*/ provider = new AzureServiceTokenProvider(); //@@KeyVaultClient client = new KeyVaultClient( /*@@*/ client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback), httpClient); } #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy CertificatePolicy policy = new CertificatePolicy { IssuerParameters = new IssuerParameters("issuer-name"), SecretProperties = new SecretProperties("application/x-pkcs12"), KeyProperties = new KeyProperties { KeyType = "RSA", KeySize = 2048, ReuseKey = true }, X509CertificateProperties = new X509CertificateProperties("CN=customdomain.com") { KeyUsage = new[] { KeyUsageType.CRLSign, KeyUsageType.DataEncipherment, KeyUsageType.DigitalSignature, KeyUsageType.KeyEncipherment, KeyUsageType.KeyAgreement, KeyUsageType.KeyCertSign }, ValidityInMonths = 12 }, LifetimeActions = new[] { new LifetimeAction( new Trigger { DaysBeforeExpiry = 90 }, new Models.Action(ActionType.AutoRenew)) } }; #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy { #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate CertificateBundle certificate = null; // Start certificate creation. // Depending on the policy and your business process, this could even take days for manual signing. CertificateOperation createOperation = await client.CreateCertificateAsync("https://myvault.vault.azure.net", "certificate-name", policy); while (true) { if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase)) { await Task.Delay(TimeSpan.FromSeconds(20)); createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name"); continue; } if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase)) { certificate = await client.GetCertificateAsync(createOperation.Id); break; } throw new Exception(string.Format( CultureInfo.InvariantCulture, "Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}", createOperation.Error.Code, createOperation.Error.Message)); } // If you need to restart the application you can recreate the operation and continue awaiting. do { createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name"); if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase)) { await Task.Delay(TimeSpan.FromSeconds(20)); continue; } if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase)) { certificate = await client.GetCertificateAsync(createOperation.Id); break; } throw new Exception(string.Format( CultureInfo.InvariantCulture, "Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}", createOperation.Error.Code, createOperation.Error.Message)); } while (true); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate } { #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate byte[] cer = File.ReadAllBytes("certificate.pfx"); string cerBase64 = Convert.ToBase64String(cer); CertificateBundle certificate = await client.ImportCertificateAsync( "https://myvault.vault.azure.net", "certificate-name", cerBase64, certificatePolicy : policy); #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate } #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy //@@CertificatePolicy policy = new CertificatePolicy /*@@*/ policy = new CertificatePolicy { IssuerParameters = new IssuerParameters("Self"), X509CertificateProperties = new X509CertificateProperties("CN=DefaultPolicy") }; #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy // TODO { #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates IPage <CertificateItem> page = await client.GetCertificatesAsync("https://myvault.vault.azure.net"); foreach (CertificateItem item in page) { CertificateIdentifier certificateId = item.Identifier; CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name); } while (page.NextPageLink != null) { page = await client.GetCertificatesNextAsync(page.NextPageLink); foreach (CertificateItem item in page) { CertificateIdentifier certificateId = item.Identifier; CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name); } } #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates } { #region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate // Delete the certificate. DeletedCertificateBundle deletedCertificate = await client.DeleteCertificateAsync("https://myvault.vault.azure.net", "certificate-name"); // Purge or recover the deleted certificate if soft delete is enabled. if (deletedCertificate.RecoveryId != null) { DeletedCertificateIdentifier deletedCertificateId = deletedCertificate.RecoveryIdentifier; // Deleting a certificate does not happen immediately. Wait a while and check if the deleted certificate exists. while (true) { try { await client.GetDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name); // Finally deleted. break; } catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound) { // Not yet deleted... } } // Purge the deleted certificate. await client.PurgeDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name); // You can also recover the deleted certificate using RecoverDeletedCertificateAsync. } #endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate } }
public ActionResult Index() { string keyVaultName = "<YOUR_VAULT's_NAME>"; string vaultBaseURL = $"https://{keyVaultName}.vault.azure.net"; //Get a token for accessing the Key Vault. var azureServiceTokenProvider = new AzureServiceTokenProvider(); //Create a Key Vault client for accessing the items in the vault; var keyVault = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); // Manage secrets in the Key Vault. // Create a new secret string secretName = "secret-az204"; Task.Run(async() => await keyVault.SetSecretAsync(vaultBaseURL, secretName, "This is a secret testing value")).Wait(); var secret = Task.Run(async() => await keyVault.GetSecretAsync ($"{vaultBaseURL}/secrets/{secretName}")).GetAwaiter().GetResult(); // Update an existing secret Task.Run(async() => await keyVault.SetSecretAsync(vaultBaseURL, secretName, "Updated the secret testing value")).Wait(); secret = Task.Run(async() => await keyVault.GetSecretAsync ($"{vaultBaseURL}/secrets/{secretName}")).GetAwaiter().GetResult(); // Delete the secret Task.Run(async() => await keyVault.DeleteSecretAsync(vaultBaseURL, secretName)).Wait(); // Manage certificates in the Key Vault string certName = "cert-az204"; // Create a new self-signed certificate var policy = new CertificatePolicy { IssuerParameters = new IssuerParameters { Name = "Self", }, KeyProperties = new KeyProperties { Exportable = true, KeySize = 2048, KeyType = "RSA" }, SecretProperties = new SecretProperties { ContentType = "application/x-pkcs12" }, X509CertificateProperties = new X509CertificateProperties { Subject = "CN=AZ204KEYVAULTDEMO" } }; Task.Run(async() => await keyVault.CreateCertificateAsync(vaultBaseURL, certName, policy, new CertificateAttributes { Enabled = true })).Wait(); // When you create a new certificate in the Key Vault it takes some time // before it's ready. // We added some wait time here for the sake of simplicity. Thread.Sleep(10000); var certificate = Task.Run(async() => await keyVault.GetCertificateAsync (vaultBaseURL, certName)).GetAwaiter().GetResult(); // Update properties associated with the certificate. CertificatePolicy updatePolicy = new CertificatePolicy { X509CertificateProperties = new X509CertificateProperties { SubjectAlternativeNames = new SubjectAlternativeNames { DnsNames = new[] { "az204.examref.testing" } } } }; Task.Run(async() => await keyVault.UpdateCertificatePolicyAsync( vaultBaseURL, certName, updatePolicy)).Wait(); Task.Run(async() => await keyVault.CreateCertificateAsync(vaultBaseURL, certName)).Wait(); Thread.Sleep(10000); certificate = Task.Run(async() => await keyVault.GetCertificateAsync( vaultBaseURL, certName)). GetAwaiter().GetResult(); Task.Run(async() => await keyVault.UpdateCertificateAsync(certificate. CertificateIdentifier.Identifier, null, new CertificateAttributes { Enabled = false })).Wait(); Thread.Sleep(10000); // Delete the self-signed certificate. Task.Run(async() => await keyVault.DeleteCertificateAsync(vaultBaseURL, certName)).Wait(); // Manage keys in the Key Vault string keyName = "key-az204"; NewKeyParameters keyParameters = new NewKeyParameters { Kty = "EC", CurveName = "SECP256K1", KeyOps = new[] { "sign", "verify" } }; Task.Run(async() => await keyVault.CreateKeyAsync(vaultBaseURL, keyName, keyParameters)).Wait(); var key = Task.Run(async() => await keyVault.GetKeyAsync(vaultBaseURL, keyName)).GetAwaiter().GetResult(); // Update keys in the Key Vault Task.Run(async() => await keyVault.UpdateKeyAsync(vaultBaseURL, keyName, null, new KeyAttributes { Expires = DateTime.UtcNow. AddYears(1) })).Wait(); key = Task.Run(async() => await keyVault.GetKeyAsync(vaultBaseURL, keyName)).GetAwaiter().GetResult(); // Delete keys from the Key Vault Task.Run(async() => await keyVault.DeleteKeyAsync(vaultBaseURL, keyName)). Wait(); return(View()); }