private async Task <X509Certificate2> ImportCertificateToKeyVaultAsync(KeyVaultClient client, X509Certificate2 certificate)
{
CertificateBundle certificateBundle = await client.ImportCertificateAsync(
_vaultBaseUrl,
_certificateName,
new X509Certificate2Collection(certificate),
new CertificatePolicy(
keyProperties : new KeyProperties(false, "RSA", 2048, false),
secretProperties : new SecretProperties("application/x-pkcs12")));
return(new X509Certificate2(certificateBundle.Cer));
}
/// <summary>
/// Imports a certificate
/// </summary>
/// <param name="certificateName"> the name of the created certificate </param>
/// <returns> The imported certificate </returns>
private static CertificateBundle ImportCertificate(out string certificateName)
{
var vaultAddress = inputValidator.GetVaultAddress();
certificateName = inputValidator.GetCertificateName();
var pfxPath = inputValidator.GetPfxPath();
var pfxPassword = inputValidator.GetPfxPassword();
var policy = new CertificatePolicy
{
KeyProperties = new KeyProperties
{
Exportable = true,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = "application/x-pem-file"
//ContentType = CertificateContentType.Pfx
}
};
var base64X509 = string.Empty;
if (File.Exists(pfxPath))
{
var x509Collection = new X509Certificate2Collection();
x509Collection.Import(pfxPath, pfxPassword, X509KeyStorageFlags.Exportable);
// A pfx can contain a chain
var x509Bytes = x509Collection.Cast <X509Certificate2>().Single(s => s.HasPrivateKey).Export(X509ContentType.Pfx, pfxPassword);
base64X509 = Convert.ToBase64String(x509Bytes);
}
else
{
//base64X509 = "aaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaa";
base64X509 = "yourcert";
}
var name = certificateName;
var certificate = Task.Run(() => keyVaultClient.ImportCertificateAsync(vaultAddress, name, base64X509, pfxPassword,
policy)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine("Created certificate:---------------");
PrintoutCertificate(certificate);
return(certificate);
}
/// <summary>
/// Imports a certificate
/// </summary>
/// <param name="certificateName"> the name of the created certificate </param>
/// <returns> The imported certificate </returns>
private static CertificateBundle ImportCertificate(out string certificateName)
{
var vaultAddress = inputValidator.GetVaultAddress();
certificateName = inputValidator.GetCertificateName();
var pfxPath = inputValidator.GetPfxPath();
var pfxPassword = inputValidator.GetPfxPassword();
var policy = new CertificatePolicy
{
KeyProperties = new KeyProperties
{
Exportable = true,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = CertificateContentType.Pfx
}
};
var base64X509 = string.Empty;
if (File.Exists(pfxPath))
{
var x509Collection = new X509Certificate2Collection();
x509Collection.Import(pfxPath, pfxPassword, X509KeyStorageFlags.Exportable);
// A pfx can contain a chain
var x509Bytes = x509Collection.Cast <X509Certificate2>().Single(s => s.HasPrivateKey).Export(X509ContentType.Pfx, pfxPassword);
base64X509 = Convert.ToBase64String(x509Bytes);
}
else
{
base64X509 = "MIIJOwIBAzCCCPcGCSqGSIb3DQEHAaCCCOgEggjkMIII4DCCBgkGCSqGSIb3DQEHAaCCBfoEggX2MIIF8jCCBe4GCyqGSIb3DQEMCgECoIIE / jCCBPowHAYKKoZIhvcNAQwBAzAOBAj15YH9pOE58AICB9AEggTYLrI + SAru2dBZRQRlJY7XQ3LeLkah2FcRR3dATDshZ2h0IA2oBrkQIdsLyAAWZ32qYR1qkWxLHn9AqXgu27AEbOk35 + pITZaiy63YYBkkpR + pDdngZt19Z0PWrGwHEq5z6BHS2GLyyN8SSOCbdzCz7blj3 + 7IZYoMj4WOPgOm / tQ6U44SFWek46QwN2zeA4i97v7ftNNns27ms52jqfhOvTA9c / wyfZKAY4aKJfYYUmycKjnnRl012ldS2lOkASFt + lu4QCa72IY6ePtRudPCvmzRv2pkLYS6z3cI7omT8nHP3DymNOqLbFqr5O2M1ZYaLC63Q3xt3eVvbcPh3N08D1hHkhz / KDTvkRAQpvrW8ISKmgDdmzN55Pe55xHfSWGB7gPw8sZea57IxFzWHTK2yvTslooWoosmGxanYY2IG / no3EbPOWDKjPZ4ilYJe5JJ2immlxPz + 2e2EOCKpDI + 7fzQcRz3PTd3BK + budZ8aXX8aW / lOgKS8WmxZoKnOJBNWeTNWQFugmktXfdPHAdxMhjUXqeGQd8wTvZ4EzQNNafovwkI7IV / ZYoa++RGofVR3ZbRSiBNF6TDj / qXFt0wN / CQnsGAmQAGNiN + D4mY7i25dtTu / Jc7OxLdhAUFpHyJpyrYWLfvOiS5WYBeEDHkiPUa / 8eZSPA3MXWZR1RiuDvuNqMjct1SSwdXADTtF68l / US1ksU657 + XSC + 6ly1A / upz + X71 + C4Ho6W0751j5ZMT6xKjGh5pee7MVuduxIzXjWIy3YSd0fIT3U0A5NLEvJ9rfkx6JiHjRLx6V1tqsrtT6BsGtmCQR1UCJPLqsKVDvAINx3cPA / CGqr5OX2BGZlAihGmN6n7gv8w4O0k0LPTAe5YefgXN3m9pE867N31GtHVZaJ / UVgDNYS2jused4rw76ZWN41akx2QN0JSeMJqHXqVz6AKfz8ICS / dFnEGyBNpXiMRxrY / QPKi / wONwqsbDxRW7vZRVKs78pBkE0ksaShlZk5GkeayDWC / 7Hi / NqUFtIloK9XB3paLxo1DGu5qqaF34jZdktzkXp0uZqpp + FfKZaiovMjt8F7yHCPk + LYpRsU2Cyc9DVoDA6rIgf + uEP4jppgehsxyT0lJHax2t869R2jYdsXwYUXjgwHIV0voj7bJYPGFlFjXOp6ZW86scsHM5xfsGQoK2Fp838VT34SHE1ZXU / puM7rviREHYW72pfpgGZUILQMohuTPnd8tFtAkbrmjLDo + k9xx7HUvgoFTiNNWuq / cRjr70FKNguMMTIrid + HwfmbRoaxENWdLcOTNeascER2a + 37UQolKD5ksrPJG6RdNA7O2pzp3micDYRs / +s28cCIxO//J/d4nsgHp6RTuCu4+Jm9k0YTw2Xg75b2cWKrxGnDUgyIlvNPaZTB5QbMid4x44/lE0LLi9kcPQhRgrK07OnnrMgZvVGjt1CLGhKUv7KFc3xV1r1rwKkosxnoG99oCoTQtregcX5rIMjHgkc1IdflGJkZzaWMkYVFOJ4Weynz008i4ddkske5vabZs37Lb8iggUYNBYZyGzalruBgnQyK4fz38Fae4nWYjyildVfgyo/fCePR2ovOfphx9OQJi+M9BoFmPrAg+8ARDZ+R+5yzYuEc9ZoVX7nkp7LTGB3DANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGEAOAAwAGQAZgBmADgANgAtAGUAOQA2AGUALQA0ADIAMgA0AC0AYQBhADEAMQAtAGIAZAAxADkANABkADUAYQA2AGIANwA3MF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAHQAcgBvAG4AZwAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIwggLPBgkqhkiG9w0BBwagggLAMIICvAIBADCCArUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECNX+VL2MxzzWAgIH0ICCAojmRBO+CPfVNUO0s+BVuwhOzikAGNBmQHNChmJ/pyzPbMUbx7tO63eIVSc67iERda2WCEmVwPigaVQkPaumsfp8+L6iV/BMf5RKlyRXcwh0vUdu2Qa7qadD+gFQ2kngf4Dk6vYo2/2HxayuIf6jpwe8vql4ca3ZtWXfuRix2fwgltM0bMz1g59d7x/glTfNqxNlsty0A/rWrPJjNbOPRU2XykLuc3AtlTtYsQ32Zsmu67A7UNBw6tVtkEXlFDqhavEhUEO3dvYqMY+QLxzpZhA0q44ZZ9/ex0X6QAFNK5wuWxCbupHWsgxRwKftrxyszMHsAvNoNcTlqcctee+ecNwTJQa1/MDbnhO6/qHA7cfG1qYDq8Th635vGNMW1w3sVS7l0uEvdayAsBHWTcOC2tlMa5bfHrhY8OEIqj5bN5H9RdFy8G/W239tjDu1OYjBDydiBqzBn8HG1DSj1Pjc0kd/82d4ZU0308KFTC3yGcRad0GnEH0Oi3iEJ9HbriUbfVMbXNHOF+MktWiDVqzndGMKmuJSdfTBKvGFvejAWVO5E4mgLvoaMmbchc3BO7sLeraHnJN5hvMBaLcQI38N86mUfTR8AP6AJ9c2k514KaDLclm4z6J8dMz60nUeo5D3YD09G6BavFHxSvJ8MF0Lu5zOFzEePDRFm9mH8W0N/sFlIaYfD/GWU/w44mQucjaBk95YtqOGRIj58tGDWr8iUdHwaYKGqU24zGeRae9DhFXPzZshV1ZGsBQFRaoYkyLAwdJWIXTi+c37YaC8FRSEnnNmS79Dou1Kc3BvK4EYKAD2KxjtUebrV174gD0Q+9YuJ0GXOTspBvCFd5VT2Rw5zDNrA/J3F5fMCk4wOzAfMAcGBSsOAwIaBBSxgh2xyF+88V4vAffBmZXv8Txt4AQU4O/NX4MjxSodbE7ApNAMIvrtREwCAgfQ";
}
var name = certificateName;
var certificate = Task.Run(() => keyVaultClient.ImportCertificateAsync(vaultAddress, name, base64X509, pfxPassword,
policy)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine("Created certificate:---------------");
PrintoutCertificate(certificate);
return(certificate);
}
public async Task ImportKeyVaultCertificateAsync(Guid subscriptionId, KeyVault keyVault, string certificateName, byte[] value, string certificatePassword)
{
// Authenticate using MSI
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");
var token = new TokenCredentials(accessToken);
using (var keyVaultClient = new KeyVaultClient(token))
{
try
{
if (certificatePassword == null)
{
certificatePassword = string.Empty;
}
var cert = new X509Certificate2(
value,
certificatePassword,
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.Exportable);
var exportedBytes = cert.Export(X509ContentType.Pkcs12, certificatePassword);
var exportedBase64 = Convert.ToBase64String(exportedBytes);
await keyVaultClient.ImportCertificateAsync(
keyVault.Uri,
certificateName,
Convert.ToBase64String(value),
certificatePassword);
}
catch (CryptographicException e) when(e.HResult == -2147024810)
{
throw;
}
catch (Exception e)
{
throw new Exception($"Failed to import certificate with principal: {azureServiceTokenProvider.PrincipalUsed}", e);
}
}
}
private async Task CertificatesMigrationGuide()
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_Create
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
//@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
/*@@*/ provider = new AzureServiceTokenProvider();
//@@KeyVaultClient client = new KeyVaultClient(
/*@@*/ client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback),
httpClient);
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
CertificatePolicy policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters("issuer-name"),
SecretProperties = new SecretProperties("application/x-pkcs12"),
KeyProperties = new KeyProperties
{
KeyType = "RSA",
KeySize = 2048,
ReuseKey = true
},
X509CertificateProperties = new X509CertificateProperties("CN=customdomain.com")
{
KeyUsage = new[]
{
KeyUsageType.CRLSign,
KeyUsageType.DataEncipherment,
KeyUsageType.DigitalSignature,
KeyUsageType.KeyEncipherment,
KeyUsageType.KeyAgreement,
KeyUsageType.KeyCertSign
},
ValidityInMonths = 12
},
LifetimeActions = new[]
{
new LifetimeAction(
new Trigger
{
DaysBeforeExpiry = 90
},
new Models.Action(ActionType.AutoRenew))
}
};
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
CertificateBundle certificate = null;
// Start certificate creation.
// Depending on the policy and your business process, this could even take days for manual signing.
CertificateOperation createOperation = await client.CreateCertificateAsync("https://myvault.vault.azure.net", "certificate-name", policy);
while (true)
{
if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
await Task.Delay(TimeSpan.FromSeconds(20));
createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name");
continue;
}
if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
certificate = await client.GetCertificateAsync(createOperation.Id);
break;
}
throw new Exception(string.Format(
CultureInfo.InvariantCulture,
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
createOperation.Error.Code,
createOperation.Error.Message));
}
// If you need to restart the application you can recreate the operation and continue awaiting.
do
{
createOperation = await client.GetCertificateOperationAsync("https://myvault.vault.azure.net", "certificate-name");
if ("InProgress".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
await Task.Delay(TimeSpan.FromSeconds(20));
continue;
}
if ("Completed".Equals(createOperation.Status, StringComparison.OrdinalIgnoreCase))
{
certificate = await client.GetCertificateAsync(createOperation.Id);
break;
}
throw new Exception(string.Format(
CultureInfo.InvariantCulture,
"Polling on pending certificate returned an unexpected result. Error code = {0}, Error message = {1}",
createOperation.Error.Code,
createOperation.Error.Message));
} while (true);
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
}
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
byte[] cer = File.ReadAllBytes("certificate.pfx");
string cerBase64 = Convert.ToBase64String(cer);
CertificateBundle certificate = await client.ImportCertificateAsync(
"https://myvault.vault.azure.net",
"certificate-name",
cerBase64,
certificatePolicy : policy);
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
}
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
//@@CertificatePolicy policy = new CertificatePolicy
/*@@*/
policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters("Self"),
X509CertificateProperties = new X509CertificateProperties("CN=DefaultPolicy")
};
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
// TODO
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
IPage <CertificateItem> page = await client.GetCertificatesAsync("https://myvault.vault.azure.net");
foreach (CertificateItem item in page)
{
CertificateIdentifier certificateId = item.Identifier;
CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name);
}
while (page.NextPageLink != null)
{
page = await client.GetCertificatesNextAsync(page.NextPageLink);
foreach (CertificateItem item in page)
{
CertificateIdentifier certificateId = item.Identifier;
CertificateBundle certificate = await client.GetCertificateAsync(certificateId.Vault, certificateId.Name);
}
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
}
{
#region Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
// Delete the certificate.
DeletedCertificateBundle deletedCertificate = await client.DeleteCertificateAsync("https://myvault.vault.azure.net", "certificate-name");
// Purge or recover the deleted certificate if soft delete is enabled.
if (deletedCertificate.RecoveryId != null)
{
DeletedCertificateIdentifier deletedCertificateId = deletedCertificate.RecoveryIdentifier;
// Deleting a certificate does not happen immediately. Wait a while and check if the deleted certificate exists.
while (true)
{
try
{
await client.GetDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name);
// Finally deleted.
break;
}
catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound)
{
// Not yet deleted...
}
}
// Purge the deleted certificate.
await client.PurgeDeletedCertificateAsync(deletedCertificateId.Vault, deletedCertificateId.Name);
// You can also recover the deleted certificate using RecoverDeletedCertificateAsync.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
}
}
