az keyvault certificate import does not accept PEM format

[apt34]

Describe the bug az cli command az keyvault certificate import doesn't accept PEM certificate as an argument for the --fileparameter. However, according to official documentation, the following arguments should be supported for --file parameter: PKCS12 file or PEM file containing the certificate and private key.

To Reproduce

• Create vault
• Try to import PEM certificate by executing the following command: az keyvault certificate import --vault-name <vault> --name <name> --file <cert_file_in_pem>
• Instead of successful certificate import, the following error raised: PEM is in unexpected format

The generated cert-file.pem looks like:

-----BEGIN CERTIFICATE-----
MIID2TCCAsGg...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADAN...
-----END PRIVATE KEY-----

Also tried (out of curiosity) to change key and cert position - which doesn't make any difference in theory (still fails).

-----BEGIN PRIVATE KEY-----
MIIEvQIBADAN...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID2TCCAsGg...
-----END CERTIFICATE-----

Expected behavior PEM certificate successfully imported to vault

Environment summary

az --version
azure-cli                         2.26.1

core                              2.26.1
telemetry                          1.0.6

Extensions:
managementpartner                  0.1.3

Python location '/opt/azure-cli/bin/python'
Extensions directory '/home/hadrian/.azure/cliextensions'

Python (Linux) 3.9.5 (default, May 24 2021, 12:50:35)
[GCC 11.1.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

This is a duplicate of https://github.com/Azure/azure-cli/issues/8099, which is closed without fixing the problem.

[yonzhan]

keyvault

[evelyn-ys]

Hi @apt34 Could you share the debug log with az keyvault certificate import --debug? It's impossible that PEM file failed to be imported. Our scenario tests do cover such scenario. Here's FYI: https://github.com/Azure/azure-cli/blob/19c8a0c5b23f38a4aea7c7bca19a5e8ce1584820/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py#L2056-L2065

[stijnherreman]

@evelyn-ys I'm also having this issue.

PEM file, includes the CA bundle:

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MII...
-----END RSA PRIVATE KEY-----

Debug output:

msrest.exceptions: (BadParameter) The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 112, in keyvault_command_handler
    result = op(**command_args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/custom.py", line 1583, in import_certificate
    password=password)
  File "/opt/az/lib/python3.6/site-packages/azure/keyvault/v7_0/key_vault_client.py", line 3278, in import_certificate
    raise models.KeyVaultErrorException(self._deserialize, response)
azure.keyvault.v7_0.models.key_vault_error_py3.KeyVaultErrorException: (BadParameter) The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 657, in execute
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 691, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 328, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 138, in keyvault_command_handler
    return keyvault_exception_handler(self.command_loader, ex)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 38, in keyvault_exception_handler
    raise CLIError(ex.inner_exception.error.message)
knack.util.CLIError: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.

cli.azure.cli.core.azclierror: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
az_command_data_logger: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.

[evelyn-ys]

Hi @stijnherreman, your pem file seems to have several parts more than what we expected. You can take our test pem as an example: https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/mydomain.test.pem https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/import_pem_plain.pem

[stijnherreman]

@evelyn-ys the example file works. I've reduced my file to only contain the private key and my certificate (so excluding the CA bundle) but the same error occurs.

$ cat example_com.key example_com.crt > example_com.pem
$ cat example_com.pem
-----BEGIN RSA PRIVATE KEY-----
MII...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
$ openssl verify -CAfile example_com.ca-bundle example_com.pem
example_com.pem: OK
$ az keyvault certificate import --vault-name example-vault --name example-com --file example_com.pem
The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.

I've also tried changing the order of concatenation, and tried both importing as a new certificate and importing as an update to an existing certificate.

When converting to a PKCS#12 file, the import works fine.

$ openssl pkcs12 -export -in example_com.pem -out example_com.pfx
Enter Export Password:
Verifying - Enter Export Password:
$ az keyvault certificate import --vault-name example-vault --name example-com --file example_com.pfx
{
  "attributes": {
    "created": "2021-09-23T10:11:06+00:00",
    "enabled": true,
...

Also when I include the CA bundle in the PEM file and convert to a PKCS#12 file, the import works fine.

$ cat example_com.crt example_com.ca-bundle example_com.key > example_com.pem
$ openssl pkcs12 -export -in example_com.pem -out example_com.pfx
Enter Export Password:
Verifying - Enter Export Password:
$ az keyvault certificate import --vault-name example-vault --name example-com --file example_com.pfx
{
  "attributes": {
    "created": "2021-09-23T10:17:02+00:00",
    "enabled": true,
...

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details

---

**Describe the bug** az cli command `az keyvault certificate import` doesn't accept PEM certificate as an argument for the `--file `parameter. However, according to [official documentation](https://docs.microsoft.com/en-us/cli/azure/keyvault/certificate?view=azure-cli-latest#az-keyvault-certificate-import), the following arguments should be supported for `--file` parameter: _PKCS12 file or PEM file containing the certificate and private key_. **To Reproduce** - Create vault - Try to import PEM certificate by executing the following command: `az keyvault certificate import --vault-name --name --file ` - Instead of successful certificate import, the following error raised: `PEM is in unexpected format` The generated cert-file.pem looks like: ``` -----BEGIN CERTIFICATE----- MIID2TCCAsGg... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvQIBADAN... -----END PRIVATE KEY----- ``` Also tried (out of curiosity) to change key and cert position - which doesn't make any difference in theory (still fails). ``` -----BEGIN PRIVATE KEY----- MIIEvQIBADAN... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIID2TCCAsGg... -----END CERTIFICATE----- ``` **Expected behavior** PEM certificate successfully imported to vault **Environment summary** ``` az --version azure-cli 2.26.1 core 2.26.1 telemetry 1.0.6 Extensions: managementpartner 0.1.3 Python location '/opt/azure-cli/bin/python' Extensions directory '/home/hadrian/.azure/cliextensions' Python (Linux) 3.9.5 (default, May 24 2021, 12:50:35) [GCC 11.1.0] Legal docs and information: aka.ms/AzureCliLegal Your CLI is up-to-date. ``` This is a duplicate of https://github.com/Azure/azure-cli/issues/8099, which is closed without fixing the problem.

Author:	apt34
Assignees:	evelyn-ys
Labels:	`KeyVault`, `Service Attention`
Milestone:	Backlog

[gomker]

Might be a related issue : https://github.com/MicrosoftDocs/azure-docs/issues/23558#issuecomment-823693525

.... it does appear the docs say explicity that the PEM should be PKCS#8 encoded

 openssl pkcs12 -in cert.pfx -out cert_export.pem -nodes -password pass:"certpass"
 openssl x509 -in cert_export.pem >> temp.pem
 openssl pkcs8 -topk8 -nocrypt -in cert_export.pem >> temp.pem

I found this issue as now I am having a problem creating one that has the intermediate chain

[fabio-s-franco]

When it comes to importing PEM format the I always have problems. It also doesn't work with multi-site certificates, which ends up being a stone in my shoes when automating things.