如何从 Azure KeyVault 获取证书作为 .crt 和 .key 文件?
How to get certificate from Azure KeyVault as .crt and .key files?
我需要将证书从 Azure KeyVault 导出到 VM 作为 .crt 文件,其密钥作为 .key 文件。
我在 ms docs 上找到了以下文章:link 然后用 openssl 将其转换为正确的文件。
不幸的是,我有一个限制,我不能使用 openssl。
所以我的问题是,有没有办法用 powershell 来做?
When a Key Vault certificate is created, an addressable key and secret
are also created with the same name. The Key Vault key allows key
operations and the Key Vault secret allows retrieval of the
certificate value as a secret. A Key Vault certificate also contains
public x509 certificate metadata.
Source: Composition of a Certificate.
您可以像下面那样单独使用新的 az module (CLI based) in powershell to download the crt (public part), export the private key from secret or export the public key from key (in case you need only the public key)。
Note: The policy used to create the certificate must indicate that the
key is exportable. If the policy indicates non-exportable, then the
private key isn't a part of the value when retrieved as a secret.
Source: Exportable or Non-exportable key.
# download as crt in DER format
# you can also download in PEM format by changing to -e PEM
az keyvault certificate download --vault-name <keyvault-name> -n <cert-name> -f cert.crt -e DER
# private key is stored in secret, exporting separately
az keyvault secret download --vault-name <keyvault-name> -n <cert-name> -f cert.key
# key is stored in key, exporting public part separately in PEM format
# you can also download in DER format by changing to -e DER
# you cannot retrieve private part from key
az keyvault key download --vault-name <keyvault-name> -n <cert-name> -f public-key.pem -e PEM
注意:如果您上传证书时格式为 PKCS#12,则第二个命令(私钥)将以 p12 格式下载,这需要密码。
我需要将证书从 Azure KeyVault 导出到 VM 作为 .crt 文件,其密钥作为 .key 文件。 我在 ms docs 上找到了以下文章:link 然后用 openssl 将其转换为正确的文件。
不幸的是,我有一个限制,我不能使用 openssl。 所以我的问题是,有没有办法用 powershell 来做?
When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata. Source: Composition of a Certificate.
您可以像下面那样单独使用新的 az module (CLI based) in powershell to download the crt (public part), export the private key from secret or export the public key from key (in case you need only the public key)。
Note: The policy used to create the certificate must indicate that the key is exportable. If the policy indicates non-exportable, then the private key isn't a part of the value when retrieved as a secret. Source: Exportable or Non-exportable key.
# download as crt in DER format
# you can also download in PEM format by changing to -e PEM
az keyvault certificate download --vault-name <keyvault-name> -n <cert-name> -f cert.crt -e DER
# private key is stored in secret, exporting separately
az keyvault secret download --vault-name <keyvault-name> -n <cert-name> -f cert.key
# key is stored in key, exporting public part separately in PEM format
# you can also download in DER format by changing to -e DER
# you cannot retrieve private part from key
az keyvault key download --vault-name <keyvault-name> -n <cert-name> -f public-key.pem -e PEM
注意:如果您上传证书时格式为 PKCS#12,则第二个命令(私钥)将以 p12 格式下载,这需要密码。