public async Task <CertificateOperation> CreateCsrAsync(string vaultName, string certificateName, string displayName)
{
var policy = new CertificatePolicy()
{
X509CertificateProperties = new X509CertificateProperties
{
Subject = $"CN={displayName}"
},
KeyProperties = new KeyProperties
{
KeySize = 2048,
KeyType = "RSA-HSM"
},
IssuerParameters = new IssuerParameters
{
Name = "Unknown" // External CA
}
};
var vault = await GetVaultAsync(vaultName).ConfigureAwait(false);
var op = await kvClient.CreateCertificateAsync(vault.VaultUri, certificateName, policy).ConfigureAwait(false);
return(op);
}
// NOTE - this would be the preferred way to create the certificate in Azure Key Vault, as the certificate's private key never leaves
// the service. However, it does not currently support specifying that we want to create a CA certificate using the certificate basic constraints.
// This code is left here for reference.
//
// ReSharper disable once UnusedMember.Local
private async Task <X509Certificate2> CreateCertificateInKeyVaultAsync(KeyVaultClient client)
{
var certificateOperation = await client.CreateCertificateAsync(
_vaultBaseUrl,
_certificateName,
new CertificatePolicy(
keyProperties : new KeyProperties(false, "RSA", 2048, false),
x509CertificateProperties : new X509CertificateProperties(
"CN=" + RootSubjectName,
keyUsage : new List <string> {
X509KeyUsageFlags.KeyCertSign.ToString()
},
ekus : new List <string> {
"1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1"
}),
issuerParameters : new IssuerParameters("Self")));
while (certificateOperation.Status == "inProgress")
{
Console.WriteLine($"Creation of certificate '{_certificateName}' is in progress");
await Task.Delay(1000);
certificateOperation = await client.GetCertificateOperationAsync(_vaultBaseUrl, _certificateName);
}
Console.WriteLine($"Creation of certificate '{_certificateName}' is in status '{certificateOperation.Status}'");
var certificate = await client.GetCertificateAsync(_vaultBaseUrl, _certificateName);
return(new X509Certificate2(certificate.Cer));
}
public async Task <CertificateOperation> CreateCertificateAsync(
string certificateName,
string certificateCN,
IDictionary <string, string> tags = null,
CancellationToken cancellationToken = default
)
{
try {
tags ??= new Dictionary <string, string>();
Log.Information($"Adding certificate to Azure KeyVault: {certificateName} ...");
// ToDo: Add support of PEM certificate creation: CertificateContentType.Pem
var contentType = CertificateContentType.Pfx;
var certificatePolicy = new CertificatePolicy {
KeyProperties = new KeyProperties {
Exportable = true,
KeyType = "RSA",
KeySize = 2048,
ReuseKey = false
},
SecretProperties = new SecretProperties {
ContentType = contentType
},
X509CertificateProperties = new X509CertificateProperties {
Subject = $"CN={certificateCN}",
SubjectAlternativeNames = new SubjectAlternativeNames {
DnsNames = new string[] { certificateCN }
}
},
IssuerParameters = new IssuerParameters {
Name = "Self"
}
};
certificatePolicy.Validate();
var certificateAttributes = new CertificateAttributes();
var certificateOperation = await _keyVaultClient
.CreateCertificateAsync(
_keyVault.Properties.VaultUri,
certificateName,
certificatePolicy,
certificateAttributes,
tags,
cancellationToken
);
Log.Information($"Added certificate to Azure KeyVault: {certificateName}");
return(certificateOperation);
}
catch (Exception ex) {
Log.Error(ex, $"Failed to add certificate to Azure KeyVault: {certificateName}");
throw;
}
}
/// <summary>
/// Creates a certificate
/// </summary>
/// <param name="certificateName"> the name of the created certificate </param>
/// <returns> The created certificate </returns>
private static CertificateOperation CreateCertificate(out string certificateName)
{
var vaultAddress = inputValidator.GetVaultAddress();
certificateName = inputValidator.GetCertificateName();
// Create a self-signed certificate backed by a 2048 bit RSA key
var policy = new CertificatePolicy
{
IssuerReference = new IssuerReference
{
Name = "Self",
},
KeyProperties = new KeyProperties
{
Exportable = true,
KeySize = 2048,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = "application/x-pkcs12"
},
X509CertificateProperties = new X509CertificateProperties
{
Subject = "CN=KEYVAULTDEMO"
}
};
var tags = inputValidator.GetTags();
var certificateOperation = keyVaultClient.CreateCertificateAsync(vaultAddress, certificateName, policy,
new CertificateAttributes {
Enabled = true
}, tags).GetAwaiter().GetResult();
Console.Out.WriteLine("Created certificate:---------------");
PrintoutCertificateOperation(certificateOperation);
return(certificateOperation);
}
/// <summary>
/// Creates a certificate
/// </summary>
/// <param name="certificateName"> the name of the created certificate </param>
/// <returns> The created certificate </returns>
private static CertificateBundle CreateCertificate(out string certificateName)
{
var vaultAddress = inputValidator.GetVaultAddress();
certificateName = inputValidator.GetCertificateName();
// Create a self-signed certificate backed by a 2048 bit RSA key
var policy = new CertificatePolicy
{
IssuerReference = new IssuerReference
{
Name = "Self",
},
KeyProperties = new KeyProperties
{
Exportable = true,
KeySize = 2048,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = "application/x-pem-file"
//ContentType = "application/x-pkcs12"
},
X509CertificateProperties = new X509CertificateProperties
{
Subject = "CN=KEYVAULTDEMO"
}
};
var tags = inputValidator.GetTags();
var name = certificateName;
var pendingCertificate = Task.Run(() => keyVaultClient.CreateCertificateAsync(vaultAddress, name, policy,
new CertificateAttributes {
Enabled = true
}, tags)).ConfigureAwait(false).GetAwaiter().GetResult();
// Certificate request is created.
// Poll for certificate creation status until pending is complete.
var pendingPollCount = 0;
while (pendingPollCount < 11)
{
var pendingCertificateResponse = Task.Run(() =>
keyVaultClient.GetCertificateOperationAsync(vaultAddress, pendingCertificate.CertificateOperationIdentifier.Name))
.ConfigureAwait(false).GetAwaiter().GetResult();
PrintoutCertificateOperation(pendingCertificateResponse);
if (0 == string.Compare(pendingCertificateResponse.Status, "InProgress", true))
{
Console.Out.WriteLine("Waiting on the long running operation to complete creating the certificate...");
Thread.Sleep(TimeSpan.FromSeconds(5));
pendingPollCount++;
continue;
}
if (0 == string.Compare(pendingCertificateResponse.Status, "Completed", true))
{
var certBundle = Task.Run(() => keyVaultClient.GetCertificateAsync(pendingCertificateResponse.Target)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine("Created certificate:---------------");
PrintoutCertificate(certBundle);
return(certBundle);
}
throw new Exception(string.Format(
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
pendingCertificate.Error.Code,
pendingCertificate.Error.Message));
}
throw new Exception(string.Format("Pending certificate processing delayed"));
}
private async Task CertificatesMigrationGuide()
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
//@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
/*@@*/ provider = new AzureServiceTokenProvider();
//@@KeyVaultClient client = new KeyVaultClient(
/*@@*/ client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback),
httpClient);
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
CertificatePolicy policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters("issuer-name"),
SecretProperties = new SecretProperties("application/x-pkcs12"),
KeyProperties = new KeyProperties
{
KeyType = "RSA",
KeySize = 2048,
ReuseKey = true
},
X509CertificateProperties = new X509CertificateProperties("CN=customdomain.com")
{
KeyUsage = new[]
{
KeyUsageType.CRLSign,
KeyUsageType.DataEncipherment,
KeyUsageType.DigitalSignature,
KeyUsageType.KeyEncipherment,
KeyUsageType.KeyAgreement,
KeyUsageType.KeyCertSign
},
ValidityInMonths = 12
},
LifetimeActions = new[]
{
new LifetimeAction(
new Trigger
{
DaysBeforeExpiry = 90
},
new Models.Action(ActionType.AutoRenew))
}
};
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
CertificateBundle certificate = null;
// Start certificate creation.
// Depending on the policy and your business process, this could even take days for manual signing.
CertificateOperation createOperation = await client.CreateCertificateAsync("https://myvault.vault.azure.net", "certificate-name", policy);
while (true)
{
if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
await Task.Delay(TimeSpan.FromSeconds(20));
createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name");
continue;
}
if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
certificate = await client.GetCertificateAsync(createOperation.Id);
break;
}
throw new Exception(string.Format(
CultureInfo.InvariantCulture,
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
createOperation.Error.Code,
createOperation.Error.Message));
}
// If you need to restart the application you can recreate the operation and continue awaiting.
do
{
createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name");
if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
await Task.Delay(TimeSpan.FromSeconds(20));
continue;
}
if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
certificate = await client.GetCertificateAsync(createOperation.Id);
break;
}
throw new Exception(string.Format(
CultureInfo.InvariantCulture,
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
createOperation.Error.Code,
createOperation.Error.Message));
} while (true);
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
}
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
byte[] cer = File.ReadAllBytes("certificate.pfx");
string cerBase64 = Convert.ToBase64String(cer);
CertificateBundle certificate = await client.ImportCertificateAsync(
"https://myvault.vault.azure.net",
"certificate-name",
cerBase64,
certificatePolicy : policy);
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
}
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
//@@CertificatePolicy policy = new CertificatePolicy
/*@@*/
policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters("Self"),
X509CertificateProperties = new X509CertificateProperties("CN=DefaultPolicy")
};
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
// TODO
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
IPage <CertificateItem> page = await client.GetCertificatesAsync("https://myvault.vault.azure.net");
foreach (CertificateItem item in page)
{
CertificateIdentifier certificateId = item.Identifier;
CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name);
}
while (page.NextPageLink != null)
{
page = await client.GetCertificatesNextAsync(page.NextPageLink);
foreach (CertificateItem item in page)
{
CertificateIdentifier certificateId = item.Identifier;
CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name);
}
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
}
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
// Delete the certificate.
DeletedCertificateBundle deletedCertificate = await client.DeleteCertificateAsync("https://myvault.vault.azure.net", "certificate-name");
// Purge or recover the deleted certificate if soft delete is enabled.
if (deletedCertificate.RecoveryId != null)
{
DeletedCertificateIdentifier deletedCertificateId = deletedCertificate.RecoveryIdentifier;
// Deleting a certificate does not happen immediately. Wait a while and check if the deleted certificate exists.
while (true)
{
try
{
await client.GetDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name);
// Finally deleted.
break;
}
catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound)
{
// Not yet deleted...
}
}
// Purge the deleted certificate.
await client.PurgeDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name);
// You can also recover the deleted certificate using RecoverDeletedCertificateAsync.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
}
}
public ActionResult Index()
{
string keyVaultName = "<YOUR_VAULT's_NAME>";
string vaultBaseURL = $"https://{keyVaultName}.vault.azure.net";
//Get a token for accessing the Key Vault.
var azureServiceTokenProvider = new AzureServiceTokenProvider();
//Create a Key Vault client for accessing the items in the vault;
var keyVault = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
// Manage secrets in the Key Vault.
// Create a new secret
string secretName = "secret-az204";
Task.Run(async() => await keyVault.SetSecretAsync(vaultBaseURL,
secretName,
"This is a secret testing value")).Wait();
var secret = Task.Run(async() => await keyVault.GetSecretAsync
($"{vaultBaseURL}/secrets/{secretName}")).GetAwaiter().GetResult();
// Update an existing secret
Task.Run(async() => await keyVault.SetSecretAsync(vaultBaseURL,
secretName,
"Updated the secret testing value")).Wait();
secret = Task.Run(async() => await keyVault.GetSecretAsync
($"{vaultBaseURL}/secrets/{secretName}")).GetAwaiter().GetResult();
// Delete the secret
Task.Run(async() => await keyVault.DeleteSecretAsync(vaultBaseURL,
secretName)).Wait();
// Manage certificates in the Key Vault
string certName = "cert-az204";
// Create a new self-signed certificate
var policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters
{
Name = "Self",
},
KeyProperties = new KeyProperties
{
Exportable = true,
KeySize = 2048,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = "application/x-pkcs12"
},
X509CertificateProperties = new X509CertificateProperties
{
Subject = "CN=AZ204KEYVAULTDEMO"
}
};
Task.Run(async() => await keyVault.CreateCertificateAsync(vaultBaseURL,
certName, policy, new CertificateAttributes {
Enabled = true
})).Wait();
// When you create a new certificate in the Key Vault it takes some time
// before it's ready.
// We added some wait time here for the sake of simplicity.
Thread.Sleep(10000);
var certificate = Task.Run(async() => await keyVault.GetCertificateAsync
(vaultBaseURL, certName)).GetAwaiter().GetResult();
// Update properties associated with the certificate.
CertificatePolicy updatePolicy = new CertificatePolicy
{
X509CertificateProperties = new X509CertificateProperties
{
SubjectAlternativeNames = new SubjectAlternativeNames
{
DnsNames = new[] { "az204.examref.testing" }
}
}
};
Task.Run(async() => await keyVault.UpdateCertificatePolicyAsync(
vaultBaseURL, certName, updatePolicy)).Wait();
Task.Run(async() => await keyVault.CreateCertificateAsync(vaultBaseURL,
certName)).Wait();
Thread.Sleep(10000);
certificate = Task.Run(async() => await keyVault.GetCertificateAsync(
vaultBaseURL, certName)).
GetAwaiter().GetResult();
Task.Run(async() => await keyVault.UpdateCertificateAsync(certificate.
CertificateIdentifier.Identifier, null,
new CertificateAttributes
{
Enabled =
false
})).Wait();
Thread.Sleep(10000);
// Delete the self-signed certificate.
Task.Run(async() => await keyVault.DeleteCertificateAsync(vaultBaseURL,
certName)).Wait();
// Manage keys in the Key Vault
string keyName = "key-az204";
NewKeyParameters keyParameters = new NewKeyParameters
{
Kty = "EC",
CurveName = "SECP256K1",
KeyOps = new[] { "sign", "verify" }
};
Task.Run(async() => await keyVault.CreateKeyAsync(vaultBaseURL, keyName,
keyParameters)).Wait();
var key = Task.Run(async() => await keyVault.GetKeyAsync(vaultBaseURL,
keyName)).GetAwaiter().GetResult();
// Update keys in the Key Vault
Task.Run(async() => await keyVault.UpdateKeyAsync(vaultBaseURL, keyName,
null, new KeyAttributes
{
Expires = DateTime.UtcNow.
AddYears(1)
})).Wait();
key = Task.Run(async() => await keyVault.GetKeyAsync(vaultBaseURL,
keyName)).GetAwaiter().GetResult();
// Delete keys from the Key Vault
Task.Run(async() => await keyVault.DeleteKeyAsync(vaultBaseURL, keyName)).
Wait();
return(View());
}
