maddieclayton
commented
6 years ago @RandalliLama Can you take a look at this feature request?
Open DaanWasscher opened 6 years ago
maddieclayton
commented
6 years ago @RandalliLama Can you take a look at this feature request?
isra-fel
commented
4 years ago Hi @grayzu could you take a look at this feature request?
BethanyZhou
commented
10 months ago @heaths could you help check if this is a SDK issue?
heaths
commented
10 months ago Given that the AzureRM module has long been deprecated and our older SDK that it may or may not have used are also deprecated and unsupported (Microsoft.Azure.KeyVault), I can't really answer the OP. Our newer SDK - Azure.Security.KeyVault.Keys - only supports importing a key via JWK because all that service supports: https://learn.microsoft.com/rest/api/keyvault/keys/import-key/import-key. Customers can use something like RSA.ImportFromEncryptedPem to get an RSA instance they can pass to our JsonWebKey)) constructor and pass that to KeyClient.ImportKeyAsync.
Key Vault only supports importing an encrypted PEM certificate, as does the SDK. But since you're sending both the password - which means you're loading it into memory as well - and the encrypted PEM, there's really little reason callers can't just do that themselves before calling the SDK to import a key.
That's really all the Portal is doing, and any cmdlet can do, but likely not something we'd add to the SDK. You can file a feature request, but we tend to avoid these higher level functions that are just obviating a couple extra calls e.g.,
using RSA rsa = RSA.ImportFromEncryptedPem(pem, password);
JsonWebKey jwk = new(rsa);
await keyClient.ImportKeyAsync(name, jwk);@heaths , any solution on dotnet standard 2.0 to obtain JsonWebKey? We have to be compatible with Windows PowerShell so that we have to rely on dotnet standard 2.0. We use x509certificate2 to parse certificate and export private key, which is not workable if cert only has a private key.
heaths
commented
9 months ago CertificateClient.DownloadCertificate already does that, and you can take a look at the source code if you're curious how; however, X509 features are limited targeting netstandard2.0 e.g., importing PEM files is supported. That's why I wrote one into the Azure SDKs you can copy as you see appropriate. It doesn't support passing a password for encrypted PEMs, but you can add that functionality to your cmdlets if you want.
Only pfx and byok file formats are supported in AzureRM version 6.8.1.
The Azure Portal supports importing keys from encrypted .pem files. It would be great if this powershell commandlet would get feature parity with the portal.
If I create a pfx file with only the private key and no certificates, then that pfx can be used through the Azure Portal to import my private key. Yet, using that same .pfx without certificates through the Add-AzureKeyVaultKey CmdLet yields an exception (because the x509certificate2 class is used to parse the pfx file, which expects a certificate in the pfx file).
So, to use this commandlet I need to generate a selfsigned certificate and package that with my private key in a pfx.
Instead it would be easier if the commandlet accepts an encrypted private key in a .pem file and/or a pfx file with only a private key and no certificates.