以下脚本将生成自签名证书,创建密码保护pfx并将证书添加到密钥保管库。 当我在脚本之后运行ARM模板时,它会因以下错误而失败。 但是,当我在UI(Azure门户)中手动上载pfx并输入正确的密码时,ARM模板将成功部署。 任何想法如何使这个工作?
PowerShell代码(在门户网站上传生成的pfx时,不会抛出任何错误):
# Generate the certificate in the local store
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=$certificateName" -KeyExportPolicy Exportable
# Get the raw value of the certificate
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Export-PfxCertificate -Cert $cert -Password $certPasswordSecure -FilePath "d:/temp/SelfSigned.pfx"
$secret = ConvertTo-SecureString -String $keyValue -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretNameCertificate -SecretValue $keyValue -ContentType $secretContentType
错误:
New-AzureRmResourceGroupDeployment : 21:22:36 - Resource Microsoft.Web/certificates 'testCertificate' failed with message '{
"Code": "BadRequest",
"Message": "The parameter KeyVault Certificate has an invalid value.",
"Target": null,
"Details": [
{
"Message": "The parameter KeyVault Certificate has an invalid value."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"Code": "BadRequest",
"Message": "The parameter KeyVault Certificate has an invalid value.",
"ExtendedCode": "51008",
"MessageTemplate": "The parameter {0} has an invalid value.",
"Parameters": [
"KeyVault Certificate"
],
"InnerErrors": null
}
}
],
"Innererror": null
}'
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzureRmResourceGroupDeployment : 21:23:11 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations
for details. Please see https://aka.ms/arm-debug for usage details.
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
New-AzureRmResourceGroupDeployment : 21:23:11 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations
for details. Please see https://aka.ms/arm-debug for usage details.
At line:3 char:1
+ New-AzureRmResourceGroupDeployment -Name TestKeyVaultDeploy -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
ARM证书资源:
{
"type": "Microsoft.Web/certificates",
"name": "testCertificate",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('masterKeyVaultId')]",
"keyVaultSecretName": "[parameters('servicePrincipalCertSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('appServicePlanName'))]"
}
},
答案 0 :(得分:1)
也许您在上传时错过了证书政策? 但实际上,如果您正在生成新证书,那么为什么要在本地生成证书,只需在密钥保险库本身生成证书。
$credential = Get-Credential
login-azurermaccount -Credential $credential
$vaultName = 'my-vault-full-of-keys'
$certificateName = 'my-new-cert'
$policy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=mememe.me" -IssuerName Self -ValidityInMonths 120
Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $policy