Search code examples
powershellimportkeyazure-keyvault

Add-AzKeyVaultKey fails with message "Invalid provider type specified" when adding key to keyvault

I'm trying to add a key to a keyvault using Add-AzKeyVaultKey, but it fails with the message "Invalid provider type specified".

Add-AzKeyVaultKey : Invalid provider type specified.
At line:3 char:1
+ Add-AzKeyVaultKey -VaultName '$KeyVaultName' -Name 'alfalaval-as2-pri ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Add-AzKeyVaultKey], CryptographicException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultKey

I can successfully import the certificate (from pfx) to the keyvault, but when importing the key from the same pfx the operation fails.

According to Microsoft document, it should be a pfx file (PEM not supported): Micsosoft, Add-AzKeyVaultKey

I've uploaded a sample dummy keypair here (keypair at filebin) if anyone wants to try it out.

Sample code

#Import certificate used for encryption
$Password = ConvertTo-SecureString -String "abcd1234" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "$KeyVaultName" -Name "as2-demo-certificate" -FilePath 'C:\mypath\as2-demo-cert.pfx' -Password $Password

#Importing key used for decryption
Add-AzKeyVaultKey -VaultName '$KeyVaultName' -Name 'as2-demo-private-key' -Destination 'Software' -KeyFilePath 'C:\mypath\as2-demo-cert.pfx' -KeyFilePassword $Password

Any help is appreciated :)

Solution

  • As Theo pointed out here (read for more details), the solution is to specify the provider when generating our keypair since the Add-AzKeyVaultKey cmdlet only supports the Cryptography Next Generation (CNG, CAPI2) provider.

    Click here another great post with even more details.

    If you do not specify the provider, the New-SelfSignedCertificate cmdlet defaults to "Microsoft Software Key Storage Provider"

    Supported provider: "Microsoft RSA SChannel Cryptographic Provider"

    Sample

    New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -KeyAlgorithm "RSA" -DnsName "test.local" -Subject "test.local" -FriendlyName "test-cng" -provider "Microsoft RSA SChannel Cryptographic Provider" -KeyExportPolicy "Exportable" -NotAfter (Get-Date).AddYears(10)

    When exporting this as a pfx, the powershell cmdlet has no problem parsing it. Would be great if the MS Documentation pointed this out - would have saved me a ton of troubleshooting :)