Import-AzKeyVaultCertificate cmdlet结果：密钥对于处于指定状态的用户无效

Question

我正在尝试将.pfx证书导入Azure密钥库，但是遇到一些问题。

Import-AzKeyVaultCertificate -VaultName "SecHash03" -Name "CodeSigning" -FilePath "\path\to\my\cert.pfx"

结果：

Import-AzKeyVaultCertificate : Key not valid for use in specified state.
At line:1 char:1
+ Import-AzKeyVaultCertificate -VaultName SecHash03 -Name " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Import-AzKeyVaultCertificate], CryptographicException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.ImportAzureKeyVaultCertificate

我正在从与CA相同域的计算机上使用certreq向企业CA请求此证书。导入证书不需要密码。计划是将该证书上载到上述Azure密钥仓库。

我尝试使用Azure门户导入此证书，并且效果很好；导入和使用都很好。因此，这不是另一个类似Stackoverflow答案（Importing certificate to Azure Key Vault: Key not valid for use in specified state）中建议的角色问题。

请咨询！

Answer 1

据我所知，当您将预先存在的.pfx文件证书导入到Azure密钥保管库中时，您需要提供一个密码来保护证书，因为您需要在私有密钥，并在可能的情况下在证书路径中包括所有证书。例如，

import os
print( "Reading " + os.path.realpath(__file__) )

# enable syntax completion
try:
    import readline
    print( "readline is in " + readline.__file__ )
except ImportError:
    print("Module readline not available.")
else:
    import rlcompleter
    readline.parse_and_bind("tab: complete")

# From https://docs.python.org/2/tutorial/interactive.html

# Add auto-completion and a stored history file of commands to your Python
# interactive interpreter. Requires Python 2.0+, readline. Autocomplete is
# bound to the Esc key by default (you can change it - see readline docs).
#
# Store the file in ~/.pystartup, and set an environment variable to point
# to it:  "export PYTHONSTARTUP=~/.pystartup" in bash.

import atexit
import os
#import readline
#import rlcompleter

historyPath = os.path.expanduser("~/.pyhistory")

def save_history(historyPath=historyPath):
    import readline
    readline.write_history_file(historyPath)

if os.path.exists(historyPath):
    #import readline
    readline.read_history_file(historyPath)

atexit.register(save_history)
del os, atexit, readline, rlcompleter, save_history, historyPath

或者，

  

如果使用受支持的CA，甚至可以配置Key Vault进行注册   代表您获得证书。没有钥匙泄漏！为简单起见，   这些示例中的策略将设置为生成自签名证书   来自Key Vault。

# Export the cert to a PFX with password
$password = ConvertTo-SecureString "Password!" -AsPlainText -Force
Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath C:\temp\cert2.pfx -Password $password

# Upload to Key Vault
Import-AzureKeyVaultCertificate -VaultName noel-temp -Name cert2 -FilePath C:\temp\cert2.pfx -Password $password

您可以从这两个链接中获取更多详细信息：

Importing Certificates to Key Vault

Manage certificates via Azure Key Vault