Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?

Question

I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.

To work around that I tried to create the keys via the azurerm terraform provider. The keys generate successfully but don't have a password.

From what I can see on the documentation for azurerm_key_vault_certificate here a password value can only be added in a certificate block, which is only used when importing a certificate.

I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?

Answer 1

Can azurerm_key_vault_certificate set a password on a certificate when generating a new one?

While generating a certificate in azure key vault, you cannot set password. In terraform, to create a new certificate, you have to use certificate_policy argument in azurerm_key_vault_certificate resource which doesn't have password parameter and setting password is only support for importing certificate.

I ran into an issue generating self-signed certificates via the Azure Key Vault where it wasn't possible to add a Subject Alternate Name at the time of creation.

I used the following Terraform code to generate a certificate with a Subject Alternative Name in Azure Key Vault:

resource "azurerm_key_vault_certificate" "kvcert01" {
  name         = "kvcertvjy"
  key_vault_id = data.azurerm_key_vault.kvkisdujfgweuvjy.id

  certificate_policy {
    issuer_parameters {
      name = "Self"       # for self-signed certificates
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["portal.contoso.com", "terraform.hello.world"]
      }

      subject            = "CN=hello-world-terraform"
      validity_in_months = 12
    }
  }
}

Terrafrom Output: https://i.imgur.com/P0ZO9Cw.png Verify in portal:

I feel a bit stuck between not being able to create a certificate with a SAN via the portal and not being able to create a certificate with an encryption password via terraform. Am I missing something?

You can create a certificate with SAN in portal by setting DNS names by following the below steps.

Verify the certificate