将Azure SSL证书导出为pfx文件

时间:2016-08-08 19:04:40

标签: azure ssl-certificate azure-web-sites

我从azure购买了外卡证书。它现在位于Key Vault中。我需要将它上传到我们的其他服务器,该服务器托管同一域的其他应用程序之一。没有选项可以将证书导出为天蓝色门户网站中任何位置的.pfx文件。

请帮忙。

3 个答案:

答案 0 :(得分:7)

您可以使用PowerShell创建Azure App Service证书的本地PFX副本。

从以下变量中提供适当的值,并将脚本另存为copyasc.ps1

变量:

$appServiceCertificateName = "ascdemo"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "user@microsoft.com"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"

copyasc.ps1:

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

在PowerShell控制台中键入以下命令以执行脚本:

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

您可以在Azure App Service团队博客Creating a local PFX copy of App Service Certificate

上找到更多详细信息

如果您有想要在Azure App Service生态系统之外使用的App Service证书,请尝试一下,让我们知道它是如何进行的。如果您遇到任何问题,请通过Stackoverflow或Azure App Service forum.

告知我们

答案 1 :(得分:0)

我发现@dmitry-kazakov的答案是有帮助的,但是必须进行一些较小的更新才能使其对我有用。

首先,我必须执行此命令并将其分配给$azureUserPrincipalName

PS Azure:\> Get-Azureaduser

ObjectId                             DisplayName UserPrincipalName                                             UserType
--------                             ----------- -----------------                                             --------
89500455-0019-4059-8ef8-f1w32993z520 A User rmoore_roundlabinc.com#EXT#@rmooreroundlabinc.onmicrosoft.com Member

然后这是更新的脚本:

$appServiceCertificateName = "ascdemo" #This is the "Subject Name" in Azure, not "Name"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "user@microsoft.com"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"
$azureUserPrincipalName = "user@microsoft.com#EXT#@user@microsoft.com.onmicrosoft.com"

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource= Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2019-05-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureUserPrincipalName -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

答案 2 :(得分:0)

某些文档已过时,因此这是一个如何在Mac上使用PowerShell和Azure CLI导出它以及如何将其转换为Nginx的PEM格式的版本。分享只是因为这对我来说很痛苦,因此希望对某人有用:

pwsh
az keyvault secret show --vault-name KeyVaultName --name SecretName | tail -n 1 | cut -d ' ' -f 3 | pbcopy
echo $(pbpaste) > /tmp/pass
$secret=$(cat /tmp/pass)
$pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes("./appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword))
openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.pem -clcerts -nokeys -password pass:$(echo $pfxPassword)
openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.key_protected -nocerts -password pass:$(echo $pfxPassword)
openssl rsa -in /tmp/certificate.key_protected -out /tmp/certificate.key -passin pass:$(echo $pfxPassword)

最后三行摘自here,中间部分是主要guide的精简版本

相关问题
最新问题