Search code examples
azureazure-keyvaultclient-certificates

Azure Key Vault - CertificateClient - import_certificate: (BadParameter) Property policy has invalid value

I have been trying to upload some letsencrypt certificates to Azure AKS but am having some issues....

The documentation here: suggests all i need to provide is certificate_name and certificate_bytes.. When i try this i get:

In [176]: x = c.import_certificate('le-test-cert', bcert)     
AttributeError: 'NoneType' object has no attribute '_to_certificate_policy_bundle'

When trying with a certificate policy i tried both:

In [180]: p = CertificatePolicy('Unknown', subject='CN=devtest.<removed>.com')                                                              
In [181]: x = c.import_certificate('le-test-cert', bcert, policy=p) 
HttpResponseError: (BadParameter) Property policy has invalid value

and

In [183]: p = CertificatePolicy.get_default()                                                                                               
In [184]: x = c.import_certificate('le-test-cert', bcert, policy=p)        
HttpResponseError: (BadParameter) Property policy has invalid value

Finally i tried uploading the certificate via the portal, pulling it back down with the sdk and getting the generated policy. Using this policy, i was able to upload the certificate again....

In [186]: x = c.get_certificate('manual-test') 
In [187]: x = c.import_certificate('2le-test-cert', bcert, policy=x.policy)                                                       
Readonly attribute created will be ignored in class <class 'azure.keyvault.certificates._shared._generated.v7_0.models._models_py3.CertificateAttributes'>
Readonly attribute updated will be ignored in class <class 'azure.keyvault.certificates._shared._generated.v7_0.models._models_py3.CertificateAttributes'>

However, when trying to use this policy to generate a fresh one i kept getting the same "BadParameter"... Dose anyone have a working example of how to do this? or any idea where i am going wrong?

Thank you

Solution

  • According to my test, when we import certificates to Azure key vault, we need to tell the key vault the type of the certificate (pfx or pem). So we need to specify the content_type in the CertificatePolicy.

    For example

    import os
import OpenSSL.crypto
from azure.identity import ClientSecretCredential
from azure.keyvault.certificates import CertificateClient

#get pfx file content
pfx =open('E:\\mycert.pfx', 'rb').read()
#get the Common Name field of subject
pfxPassword=b'Password0123!'
p12=OpenSSL.crypto.load_pkcs12(pfx,pfxPassword)
cert=p12.get_certificate()
subject = cert.get_subject()
issued_to = subject.CN    

client =CertificateClient('https://testsql08.vault.azure.net/',token_credential )
cert_policy = CertificatePolicy(
            issuer_name="Unknown",
            subject="CN="+issued_to,
            content_type="application/x-pkcs12"
        )
result=client.import_certificate(
            certificate_name='test14578', certificate_bytes=pfx, policy=cert_policy, password=pfxPassword.decode('utf-8') 
        )
print(result.id)

    enter image description here