private async Task WaitForCertificateCreationAsync(
string certificateName,
CancellationToken cancellationToken = default
)
{
var webAppCertificateOperation = await _keyVaultClient
.GetCertificateOperationAsync(
_keyVault.Properties.VaultUri,
certificateName,
cancellationToken
);
while (webAppCertificateOperation.Status.ToLower().Equals("inprogress"))
{
cancellationToken.ThrowIfCancellationRequested();
await Task.Delay(1000, cancellationToken);
webAppCertificateOperation = await _keyVaultClient
.GetCertificateOperationAsync(
_keyVault.Properties.VaultUri,
certificateName,
cancellationToken
);
}
}
/// <summary>
/// Wait for certificate to be created.
/// </summary>
/// <param name="certificateName"></param>
/// <param name="cancellationToken"></param>
/// <returns></returns>
private async Task WaitForCertificateCreationAsync(
string certificateName,
CancellationToken cancellationToken = default
)
{
if (string.IsNullOrEmpty(certificateName))
{
throw new ArgumentNullException(nameof(certificateName));
}
var certificateOperation = await _keyVaultClient
.GetCertificateOperationAsync(
_keyVault.Properties.VaultUri,
certificateName,
cancellationToken
);
while (certificateOperation.Status.ToLower().Equals("inprogress"))
{
cancellationToken.ThrowIfCancellationRequested();
await Task.Delay(1000, cancellationToken);
certificateOperation = await _keyVaultClient
.GetCertificateOperationAsync(
_keyVault.Properties.VaultUri,
certificateName,
cancellationToken
);
}
}
// NOTE - this would be the preferred way to create the certificate in Azure Key Vault, as the certificate's private key never leaves
// the service. However, it does not currently support specifying that we want to create a CA certificate using the certificate basic constraints.
// This code is left here for reference.
//
// ReSharper disable once UnusedMember.Local
private async Task <X509Certificate2> CreateCertificateInKeyVaultAsync(KeyVaultClient client)
{
var certificateOperation = await client.CreateCertificateAsync(
_vaultBaseUrl,
_certificateName,
new CertificatePolicy(
keyProperties : new KeyProperties(false, "RSA", 2048, false),
x509CertificateProperties : new X509CertificateProperties(
"CN=" + RootSubjectName,
keyUsage : new List <string> {
X509KeyUsageFlags.KeyCertSign.ToString()
},
ekus : new List <string> {
"1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1"
}),
issuerParameters : new IssuerParameters("Self")));
while (certificateOperation.Status == "inProgress")
{
Console.WriteLine($"Creation of certificate '{_certificateName}' is in progress");
await Task.Delay(1000);
certificateOperation = await client.GetCertificateOperationAsync(_vaultBaseUrl, _certificateName);
}
Console.WriteLine($"Creation of certificate '{_certificateName}' is in status '{certificateOperation.Status}'");
var certificate = await client.GetCertificateAsync(_vaultBaseUrl, _certificateName);
return(new X509Certificate2(certificate.Cer));
}
public async Task <CertificateOperation> GetCertificateOperation(string vaultUrl, string certificateName)
{
try
{
var op = await kvClient.GetCertificateOperationAsync(vaultUrl, certificateName).ConfigureAwait(false);
return(op);
} // May not be any pending operations
catch (KeyVaultErrorException e) when(e.Response.StatusCode == HttpStatusCode.NotFound)
{
return(null);
}
}
/// <summary>
/// Creates a certificate
/// </summary>
/// <param name="certificateName"> the name of the created certificate </param>
/// <returns> The created certificate </returns>
private static CertificateBundle CreateCertificate(out string certificateName)
{
var vaultAddress = inputValidator.GetVaultAddress();
certificateName = inputValidator.GetCertificateName();
// Create a self-signed certificate backed by a 2048 bit RSA key
var policy = new CertificatePolicy
{
IssuerReference = new IssuerReference
{
Name = "Self",
},
KeyProperties = new KeyProperties
{
Exportable = true,
KeySize = 2048,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = "application/x-pem-file"
//ContentType = "application/x-pkcs12"
},
X509CertificateProperties = new X509CertificateProperties
{
Subject = "CN=KEYVAULTDEMO"
}
};
var tags = inputValidator.GetTags();
var name = certificateName;
var pendingCertificate = Task.Run(() => keyVaultClient.CreateCertificateAsync(vaultAddress, name, policy,
new CertificateAttributes {
Enabled = true
}, tags)).ConfigureAwait(false).GetAwaiter().GetResult();
// Certificate request is created.
// Poll for certificate creation status until pending is complete.
var pendingPollCount = 0;
while (pendingPollCount < 11)
{
var pendingCertificateResponse = Task.Run(() =>
keyVaultClient.GetCertificateOperationAsync(vaultAddress, pendingCertificate.CertificateOperationIdentifier.Name))
.ConfigureAwait(false).GetAwaiter().GetResult();
PrintoutCertificateOperation(pendingCertificateResponse);
if (0 == string.Compare(pendingCertificateResponse.Status, "InProgress", true))
{
Console.Out.WriteLine("Waiting on the long running operation to complete creating the certificate...");
Thread.Sleep(TimeSpan.FromSeconds(5));
pendingPollCount++;
continue;
}
if (0 == string.Compare(pendingCertificateResponse.Status, "Completed", true))
{
var certBundle = Task.Run(() => keyVaultClient.GetCertificateAsync(pendingCertificateResponse.Target)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine("Created certificate:---------------");
PrintoutCertificate(certBundle);
return(certBundle);
}
throw new Exception(string.Format(
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
pendingCertificate.Error.Code,
pendingCertificate.Error.Message));
}
throw new Exception(string.Format("Pending certificate processing delayed"));
}
private async Task CertificatesMigrationGuide()
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
//@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
/*@@*/ provider = new AzureServiceTokenProvider();
//@@KeyVaultClient client = new KeyVaultClient(
/*@@*/ client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback),
httpClient);
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
CertificatePolicy policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters("issuer-name"),
SecretProperties = new SecretProperties("application/x-pkcs12"),
KeyProperties = new KeyProperties
{
KeyType = "RSA",
KeySize = 2048,
ReuseKey = true
},
X509CertificateProperties = new X509CertificateProperties("CN=customdomain.com")
{
KeyUsage = new[]
{
KeyUsageType.CRLSign,
KeyUsageType.DataEncipherment,
KeyUsageType.DigitalSignature,
KeyUsageType.KeyEncipherment,
KeyUsageType.KeyAgreement,
KeyUsageType.KeyCertSign
},
ValidityInMonths = 12
},
LifetimeActions = new[]
{
new LifetimeAction(
new Trigger
{
DaysBeforeExpiry = 90
},
new Models.Action(ActionType.AutoRenew))
}
};
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
CertificateBundle certificate = null;
// Start certificate creation.
// Depending on the policy and your business process, this could even take days for manual signing.
CertificateOperation createOperation = await client.CreateCertificateAsync("https://myvault.vault.azure.net", "certificate-name", policy);
while (true)
{
if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
await Task.Delay(TimeSpan.FromSeconds(20));
createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name");
continue;
}
if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
certificate = await client.GetCertificateAsync(createOperation.Id);
break;
}
throw new Exception(string.Format(
CultureInfo.InvariantCulture,
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
createOperation.Error.Code,
createOperation.Error.Message));
}
// If you need to restart the application you can recreate the operation and continue awaiting.
do
{
createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name");
if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
await Task.Delay(TimeSpan.FromSeconds(20));
continue;
}
if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
certificate = await client.GetCertificateAsync(createOperation.Id);
break;
}
throw new Exception(string.Format(
CultureInfo.InvariantCulture,
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
createOperation.Error.Code,
createOperation.Error.Message));
} while (true);
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
}
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
byte[] cer = File.ReadAllBytes("certificate.pfx");
string cerBase64 = Convert.ToBase64String(cer);
CertificateBundle certificate = await client.ImportCertificateAsync(
"https://myvault.vault.azure.net",
"certificate-name",
cerBase64,
certificatePolicy : policy);
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
}
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
//@@CertificatePolicy policy = new CertificatePolicy
/*@@*/
policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters("Self"),
X509CertificateProperties = new X509CertificateProperties("CN=DefaultPolicy")
};
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
// TODO
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
IPage <CertificateItem> page = await client.GetCertificatesAsync("https://myvault.vault.azure.net");
foreach (CertificateItem item in page)
{
CertificateIdentifier certificateId = item.Identifier;
CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name);
}
while (page.NextPageLink != null)
{
page = await client.GetCertificatesNextAsync(page.NextPageLink);
foreach (CertificateItem item in page)
{
CertificateIdentifier certificateId = item.Identifier;
CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name);
}
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
}
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
// Delete the certificate.
DeletedCertificateBundle deletedCertificate = await client.DeleteCertificateAsync("https://myvault.vault.azure.net", "certificate-name");
// Purge or recover the deleted certificate if soft delete is enabled.
if (deletedCertificate.RecoveryId != null)
{
DeletedCertificateIdentifier deletedCertificateId = deletedCertificate.RecoveryIdentifier;
// Deleting a certificate does not happen immediately. Wait a while and check if the deleted certificate exists.
while (true)
{
try
{
await client.GetDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name);
// Finally deleted.
break;
}
catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound)
{
// Not yet deleted...
}
}
// Purge the deleted certificate.
await client.PurgeDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name);
// You can also recover the deleted certificate using RecoverDeletedCertificateAsync.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
}
}
