Powershell,从本地商店获取证书作为字符串,包括存储在KeyVault中的私钥

时间:2018-01-24 22:46:43

标签: powershell certificate x509certificate azure-keyvault

问题:在Powershell中获取整个证书(包括私钥)的Base64String需要做什么?

案例: 在Windows上,我的用户商店有证书。

在Powershell中,我执行以下操作:

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -match "cert-subject" }
$certdata = [System.Convert]::ToBase64String($cert.RawData)
$str = ConvertTo-SecureString -String $certdata -AsPlainText -Force

现在在$ str中我只找到公钥 - 缺少私钥部分。

我正在尝试使用以下命令上传$ str作为Azure KeyVault的秘密:

Set-AzureKeyVaultSecret `
    -VaultName $VaultName `
    -Name $SecretName `
    -SecretValue $certsecret `
    -ContentType 'application/x-pkcs12' `
    -Expires $cert.NotAfter `
    -NotBefore $cert.NotBefore

但结果是这是一个只包含私钥的文件。

如果我从本地存储手动保存证书并将私钥导出到文件,那么使用Azure门户,我可以上传完整的证书对。

THX!

1 个答案:

答案 0 :(得分:2)

部分来自How to serialize and deserialize a PFX certificate in Azure Key Vault?

如果您在本地用户证书存储区中安装了证书和私钥,并且需要使用它对Azure进行身份验证,则需要执行许多步骤。

$VaultName = 'myVaultName'
$SecretName = 'mySecretName'

$pfxFilePath = "C:\Path_to_\Exported_Key.pfx"
$pfx_password = "yourpassword"
# Password to be used for exported PKS12 file
$pfx_password_securestring = ConvertTo-SecureString -String "yourpassword" -Force -AsPlainText
# Export (exportable) private key to portable pfx
$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -match "cert-subject" }
$cert | Export-PfxCertificate -FilePath $pfxFilePath -Password $pfx_password_securestring

$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
$collection.Import($pfxFilePath, $pfx_password, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$certsecret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'

Set-AzureKeyVaultSecret `
    -VaultName $VaultName `
    -Name $SecretName `
    -SecretValue $certsecret `
    -ContentType 'application/x-pkcs12' `
    -Expires $cert.NotAfter `
    -NotBefore $cert.NotBefore

证书CurrentUser证书库中的私钥需要可导出

相关问题
最新问题