我正在尝试从azure keyvault获取pfx文件,而不是将其放在本地计算机上。我打算用它来创建一个HTTPS服务器。
然而,当我从keyvault读取它并写入本地的pfx文件时。该文件的大小似乎略有变化,即使使用正确的密码,它也不再适用于生成证书。我在java上尝试过相同的操作,看起来并不特定于平台。
client.getSecret("https://sl-dev-keys.vault.azure.net/secrets/newcertpfx/888175c395264e6096bf0a02ef73de1a", function(getErr, getSecretBundle) {
if (getErr) throw getErr;
console.log('\n\nSecret ', getSecretBundle.value, ' is retrieved.\n');
var fs = require('fs');
var fileContent = getSecretBundle.value;
let writeStream = fs.createWriteStream('test.pfx');
// write some data with a base64 encoding
writeStream.write(fileContent, 'base64');
// the finish event is emitted when all data has been flushed from the stream
writeStream.on('finish', () => {
console.log('wrote all data to file');
});
// close the stream
writeStream.end('end');
答案 0 :(得分:0)
如果证书文件需要存储在硬盘上,那么您可能需要使用密码对其进行加密。
供参考,这是一个用于检索pfx文件的PowerShell脚本&添加密码:
$kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$password = '******'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = [Environment]::GetFolderPath("Desktop") + "\MyCert.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)
答案 1 :(得分:0)
这里是一个示例,该示例说明如何设置一个node.js https服务器,并使用从Azure密钥库中获取的证书作为证书。
import { SecretClient } from '@azure/keyvault-secrets';
import https from 'https';
...
const client = new SecretClient(url, credential);
const secret = await client.getSecret(certificateName);
const options = {
pfx: new Buffer(secret.value, 'base64')
};
https.createServer(options, app).listen(PORT);