If you want to receive a certificate with your private key, you can export it to a PFX file (with an empty password) on your disk using:
$vaultName = "my-vault-name" $certificateName = "my-cert-name" $pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx" $pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName $pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText) [IO.File]::WriteAllBytes($pfxPath, $pfxUnprotectedBytes)
If you want to view only the private key in memory without writing to disk, try:
$vaultName = "my-vault-name" $certificateName = "my-cert-name" $pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx" $pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName $pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText) $pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $pfx.Import($pfxUnprotectedBytes, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) $pfx.PrivateKey.ExportParameters($true)
which will show private parameters in addition to the indicator and the module.
If you want to protect the PFX file on disk with your own password (according to the instructions "Get the pfx file and add the password back" in this blog post ), then try:
$vaultName = "my-vault-name" $certificateName = "my-cert-name" $pfxPath = [Environment]::GetFolderPath("Desktop") + "\$certificateName.pfx" $password = "my-password" $pfxSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName $pfxUnprotectedBytes = [Convert]::FromBase64String($pfxSecret.SecretValueText) $pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $pfx.Import($pfxUnprotectedBytes, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) $pfxProtectedBytes = $pfx.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password) [IO.File]::WriteAllBytes($pfxPath, $pfxProtectedBytes)
As mentioned in the REST API docs here and here , Azure Key Vault (AKV) presents this X.509 certificate through three interrelated resources: an AKV certificate, an AKV key, and an AKV secret. All three will have the same name and the same version - to check this, look at the Id , KeyId and SecretId in the response from Get-AzureKeyVaultCertificate .
Each of these three resources provides a different perspective for viewing this X.509 certificate:
- The AKV certificate provides the public key and metadata of the X.509 certificate certificate. It contains the module and public key metric (
n and e ), as well as other certificate metadata (fingerprint, expiration date, subject name, etc.). In PowerShell, you can get this via:
(Get-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName).Certificate
- The AKV key provides the X.509 certificate private key . This can be useful for performing cryptographic operations, such as signing, if the corresponding certificate has been marked as non-exportable. In PowerShell, you can get the public part of this private key with:
(Get-AzureKeyVaultKey -VaultName $vaultName -Name $certificateName).Key
- AKV-secret provides a way to export the full X.509 certificate , including its private key (if its policy allows you to export the private key). As shown above, the current base64 encoded certificate can be obtained in PowerShell through:
(Get-AzureKeyVaultSecret -VaultName $vaultName -Name $certificateName).SecretValueText