如何从 Azure 导入证书?
How to import certificate from Azure?
我们通过 Azure 购买了证书,并希望在同一个 VM 上使用它。
我们只需要 .pfx 文件。
我们几乎尝试了所有方法,但出现了下一个错误:
"You do not have permission to get the service prinicipal information
needed to assign a Key Vault to your certificate. Please login with an
account which is either the owner of the subscription or an admin of
the Active Directory to configure Key Vault settings."
但是我们有权限...
@Sasha,这里没有太多细节可以继续,鉴于你已经尝试了一切,我不想说出显而易见的事情,但错误信息非常清楚 - "You do not have permission to get the service principal information needed"。
一些需要澄清和检查的事情:
- 你买了 Azure "App Service Certificate" 了吗?
- 证书是否处于 'issued' 状态?
- 您是以订阅所有者的身份登录的,还是所有者授予您对其订阅的管理员访问权限?我认为后者还不够好。
- 您完成三步验证过程了吗?
如果您完成所有这些操作,您的证书现在将存储在 Azure Key Vault 中。创建 Azure Key Vault 时,有一个高级访问策略选项 "Enable Access to Azure Virtual Machines for deployment"(见图)。它的帮助信息是,"Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
也就是说,由于您需要一个 .pfx 文件,下面是从 MSDN 博客中提取的示例 PowerShell 脚本来执行此操作。为下面的四个“$”参数提供适当的值并将脚本保存为 copyasc.ps1.
$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId
$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
在 PowerShell 控制台中键入以下命令以执行脚本:
Powershell –ExecutionPolicy Bypass
.\copyasc.ps1
执行脚本后,您会在当前目录中看到一个名为“appservicecertificate.pfx”的新文件。这是一个密码保护的 PFX,PowerShell 控制台会显示相应的密码。
我们通过 Azure 购买了证书,并希望在同一个 VM 上使用它。 我们只需要 .pfx 文件。
我们几乎尝试了所有方法,但出现了下一个错误:
"You do not have permission to get the service prinicipal information needed to assign a Key Vault to your certificate. Please login with an account which is either the owner of the subscription or an admin of the Active Directory to configure Key Vault settings."
但是我们有权限...
@Sasha,这里没有太多细节可以继续,鉴于你已经尝试了一切,我不想说出显而易见的事情,但错误信息非常清楚 - "You do not have permission to get the service principal information needed"。
一些需要澄清和检查的事情:
- 你买了 Azure "App Service Certificate" 了吗?
- 证书是否处于 'issued' 状态?
- 您是以订阅所有者的身份登录的,还是所有者授予您对其订阅的管理员访问权限?我认为后者还不够好。
- 您完成三步验证过程了吗?
如果您完成所有这些操作,您的证书现在将存储在 Azure Key Vault 中。创建 Azure Key Vault 时,有一个高级访问策略选项 "Enable Access to Azure Virtual Machines for deployment"(见图)。它的帮助信息是,"Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
也就是说,由于您需要一个 .pfx 文件,下面是从 MSDN 博客中提取的示例 PowerShell 脚本来执行此操作。为下面的四个“$”参数提供适当的值并将脚本保存为 copyasc.ps1.
$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId
$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
在 PowerShell 控制台中键入以下命令以执行脚本:
Powershell –ExecutionPolicy Bypass
.\copyasc.ps1
执行脚本后,您会在当前目录中看到一个名为“appservicecertificate.pfx”的新文件。这是一个密码保护的 PFX,PowerShell 控制台会显示相应的密码。