Deploy Certificates to VMs from Azure Key Vault

There is some good guidance available from Microsoft on how to manage certificates in Azure Key Vault. There is also some good guidance on how to deploy a certificate stored as a secret in Key Vault to an Azure VM. This article puts that advice together and demonstrates how to download a Key Vault certificate and store it as a secret ready for deployment to Azure VMs.

When I first started looking into this I assumed that you could deploy an Azure Key Vault certificate directly to an Azure VM. As it turns out you can't. What you can do is store a secret in Azure Key Vault that represents a Pfx certificate file which can then be used via PowerShell or an ARM Template.

The PowerShell snippet below shows what's needed. Just change the variables at the top.

$vaultName = "vaultname"
$secretName = "cert-name"
$password = ""
###########################

#Get the certificate bytes from Key Vault
$kvCertBytes = [Convert]::FromBase64String((Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName).SecretValueText)

#Create a password protected pfx and convert it to base64
$certificates = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certificates.Import($kvCertBytes, $null, "Exportable")
$protectedCertificateBytes = $certificates.Export("Pkcs12",$password)
$certificateEncoded = [Convert]::ToBase64String($protectedCertificateBytes)

#Save a secret containing the certificate to key vault
$certificateData = @{data=$certificateEncoded;dataType="pfx";password=$password} | ConvertTo-Json
$jsonBytes = [System.Text.Encoding]::UTF8.GetBytes($certificateData)
$jsonEncoded = [Convert]::ToBase64String($jsonBytes)
$secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $vaultName -Name "cert-VM-Deploy" -SecretValue $secret
Author image
About Jacob Hodges