search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

Distribute Self-Signed Client Certificates #12288

Closed thall closed 4 years ago

thall commented 4 years ago

Hi,

I have created self-signed root ca certificate, intermediate certficate and client certificates. I have imported the certificates to the KeyVault (in both formats, pem and pkcs12 (without password, seems to be removed..)).

The problem I'm facing is how I can distribute my password protected client certificate in pkcs12 format. I don't want to give access to download my keys or secrets in the KeyVault, because then i will expose other secrets that should not be revealed.

I want my users to use az login and az keyvault certificate download and download the password protected pkcs12 certificate and unpack it using a password i supply via another channel, how can i achieve this?

Related issue: https://github.com/Azure/azure-cli/issues/11576

yungezz commented 4 years ago

thanks for reporting, we'll look at it.

bim-msft commented 4 years ago

Related to #11576 , we are investigating this.

ghost commented 4 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

sebansal commented 4 years ago

@bim-msft It's a feature request (Related to #11576) Can you please mark appropriately

sebansal commented 4 years ago

It is by design that key vault does not export certs with password.

thall commented 4 years ago

Then azure key vault and azure cloud not an option.

sebansal commented 4 years ago

To address this - I don't want to give access to download my keys or secrets in the KeyVault, because then i will expose other secrets that should not be revealed.

You can grant role based access to provide fine-grained access management https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide

thall commented 4 years ago

How will that solve my initial issue? I don't see how I can achieve it with your suggestion, or did I miss something?

I.e

I want my users to use az login and az keyvault certificate download and download the password protected pkcs12 certificate and unpack it using a password i supply via another channel, how can i achieve this?

jlichwa commented 4 years ago

@thall password protected certificates are not supported today. Please vote on User Voice for new feature request: https://feedback.azure.com/forums/906355-azure-key-vault/suggestions/32603098-add-support-for-storage-and-retrieval-of-password so we can push internally to provide that feature in the future. The only work around would be to have separate key vault for your certificates and restrict access to it or like @sebansal suggested switch key vault to RBAC permission model and restrict access to that certificate on individual level.

thall commented 4 years ago

Thanks for clarification @jlichwa! Then Azure Key Vault isn't a option for me.