Open apt34 opened 3 years ago
keyvault
Hi @apt34 Could you share the debug log with az keyvault certificate import --debug
? It's impossible that PEM file failed to be imported. Our scenario tests do cover such scenario. Here's FYI:
https://github.com/Azure/azure-cli/blob/19c8a0c5b23f38a4aea7c7bca19a5e8ce1584820/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py#L2056-L2065
@evelyn-ys I'm also having this issue.
PEM file, includes the CA bundle:
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MII...
-----END RSA PRIVATE KEY-----
Debug output:
msrest.exceptions: (BadParameter) The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 112, in keyvault_command_handler
result = op(**command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/custom.py", line 1583, in import_certificate
password=password)
File "/opt/az/lib/python3.6/site-packages/azure/keyvault/v7_0/key_vault_client.py", line 3278, in import_certificate
raise models.KeyVaultErrorException(self._deserialize, response)
azure.keyvault.v7_0.models.key_vault_error_py3.KeyVaultErrorException: (BadParameter) The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 657, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 691, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 328, in __call__
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 138, in keyvault_command_handler
return keyvault_exception_handler(self.command_loader, ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 38, in keyvault_exception_handler
raise CLIError(ex.inner_exception.error.message)
knack.util.CLIError: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
cli.azure.cli.core.azclierror: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
az_command_data_logger: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
Hi @stijnherreman, your pem file seems to have several parts more than what we expected. You can take our test pem as an example: https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/mydomain.test.pem https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/import_pem_plain.pem
@evelyn-ys the example file works. I've reduced my file to only contain the private key and my certificate (so excluding the CA bundle) but the same error occurs.
$ cat example_com.key example_com.crt > example_com.pem
$ cat example_com.pem
-----BEGIN RSA PRIVATE KEY-----
MII...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
$ openssl verify -CAfile example_com.ca-bundle example_com.pem
example_com.pem: OK
$ az keyvault certificate import --vault-name example-vault --name example-com --file example_com.pem
The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
I've also tried changing the order of concatenation, and tried both importing as a new certificate and importing as an update to an existing certificate.
When converting to a PKCS#12 file, the import works fine.
$ openssl pkcs12 -export -in example_com.pem -out example_com.pfx
Enter Export Password:
Verifying - Enter Export Password:
$ az keyvault certificate import --vault-name example-vault --name example-com --file example_com.pfx
{
"attributes": {
"created": "2021-09-23T10:11:06+00:00",
"enabled": true,
...
Also when I include the CA bundle in the PEM file and convert to a PKCS#12 file, the import works fine.
$ cat example_com.crt example_com.ca-bundle example_com.key > example_com.pem
$ openssl pkcs12 -export -in example_com.pem -out example_com.pfx
Enter Export Password:
Verifying - Enter Export Password:
$ az keyvault certificate import --vault-name example-vault --name example-com --file example_com.pfx
{
"attributes": {
"created": "2021-09-23T10:17:02+00:00",
"enabled": true,
...
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.
Author: | apt34 |
---|---|
Assignees: | evelyn-ys |
Labels: | `KeyVault`, `Service Attention` |
Milestone: | Backlog |
Might be a related issue : https://github.com/MicrosoftDocs/azure-docs/issues/23558#issuecomment-823693525
.... it does appear the docs say explicity that the PEM should be PKCS#8 encoded
openssl pkcs12 -in cert.pfx -out cert_export.pem -nodes -password pass:"certpass"
openssl x509 -in cert_export.pem >> temp.pem
openssl pkcs8 -topk8 -nocrypt -in cert_export.pem >> temp.pem
I found this issue as now I am having a problem creating one that has the intermediate chain
When it comes to importing PEM format the I always have problems. It also doesn't work with multi-site certificates, which ends up being a stone in my shoes when automating things.
Describe the bug az cli command
az keyvault certificate import
doesn't accept PEM certificate as an argument for the--file
parameter. However, according to official documentation, the following arguments should be supported for--file
parameter: PKCS12 file or PEM file containing the certificate and private key.To Reproduce
az keyvault certificate import --vault-name <vault> --name <name> --file <cert_file_in_pem>
PEM is in unexpected format
The generated cert-file.pem looks like:
Also tried (out of curiosity) to change key and cert position - which doesn't make any difference in theory (still fails).
Expected behavior PEM certificate successfully imported to vault
Environment summary
This is a duplicate of https://github.com/Azure/azure-cli/issues/8099, which is closed without fixing the problem.