How to create a K8s tls secret using pfx certificate stored in Azure key vault and Azure CLI

Question

I am trying to create a k8s tls secret (data and key) using a pfx certificate that I would like to retrieve from Azure key vault using Azure CLI. It doesn't work because Azure downloads the public part(certificate) and the secret part(key) separately and then creating the k8s secret fails. Here's my script.

cert_key=cert.key
cert_pem=cert.pem
cert_pfx=cert.pfx
keyvault_name=akv_name
cert_name=akv_cert_name
secret_name=cert_pw_secret

#Get the password of the pfx certificate
secret_value=$(az keyvault secret show --name $secret_name --vault-name $keyvault_name  -o tsv --query value)

#Download the secret
az keyvault secret download --file $cert_key --name $cert_name --vault-name $keyvault_name

#Download the public part of the certificate
az keyvault certificate download --file $cert_pfx --name $cert_name --vault-name $keyvault_name

#Convert pfx to pem using openssl
#This will return an error:
#139728379422608:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239:
#139728379422608:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=PKCS12

openssl pkcs12 -in $cert_pfx  -clcerts -nokeys -out $cert_pem -password pass:$secret_value


#Convert pfx to key using openssl
#This will return an error:
#140546015532944:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239:
#140546015532944:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=PKCS12

openssl  pkcs12 -in $cert_pfx -nocerts -out $cert_key -password pass:$secret_value

#Create the k8s secret
kubectl create secret tls secret-ssl --cert=$cert_pem --key=$cert_key

Any idea why it's not working?

Thanks in advance

Answer 1

I tried to reproduce the issue in my environment and got the below results

I have created the RG & KV and secrets

az keyvault create -n kv_name -g RG_name
az keyvault secret set --vault-name kv_name --name secret_name --value "value"

I have added the polices to access the secrets

We can find the SPN id in active directory by creating with keyvault

az keyvault set-policy -n <kv-name> --spn <spn-id> --secret-permissions get 

Added the certificate using below command

az keyvault certificate create --vault-name <kv-name> --name <cert-name> -p "$(az keyvault certificate get-default-policy -o json)"

I have added the polices to access the certificates

az keyvault set-policy -n <kv-name> --spn <spn-id> --certificate-permissions get

I have generated the private key using below command

openssl genrsa 2048 > private-key.key

Generated the certificate and i have converted the file into .pfx

openssl req -new -x509 -nodes -sha256 -days 365 -key private-key.key -out certificate.cert

openssl pkcs12 -export -out certificate.pfx -inkey private-key.key -in certificate.cert

Encoded string and store it as a secret in Azure Key Vault. I have used the PowerShell commands to convert the .pxf file.

$fileContentBytes = get-content ‘certificate.pfx' -AsByteStream
[System.Convert]::ToBase64String($fileContentBytes) | Out-File ‘pfx-encoded-bytes.pem

The secret needs to have the content type set to "application/x-pkcs12" to tell Azure Key Vault that it is in PKCS file format.

az keyvault secret set --vault-name <kv-name> --name <secret-name> --file pfx-encoded-bytes.pem --description "application/x-pkcs12"

Downloaded the certificate using below command

az keyvault certificate download --file certificate1.pem --name my-certificate --vault-name komali-test

Converted the pfx to pem using openssl

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem -password pass:123

I have converted .pfx to key using openssl

openssl  pkcs12 -in certtificate.pfx -nocerts -out private-key.key -password pass:XXXX