1

I am trying to define an ARM template for my resource group. Ultimately I'm trying to replicate what I have to do manually by navigating to the SSL certificates tab for an App Service within the portal.

I've uploaded a PFX file to the Secrets tab of my KeyVault. I've granted Get access to the global RM service principal.

At the moment this is what my Microsoft.Web/certificates resource looks like in my template. It is just defined as a resource at the top level of the resource group, and not as a sub-resource of a website or anything like that:

 { "type":"Microsoft.Web/certificates", "name": "signingCredentials", "location": "[parameters('region')]", "apiVersion": "2015-08-01", "properties": { "keyVaultId": "<My KeyVault ID>", "keyVaultSecretName": "<My Secret Name>" } }

When I attempt to deploy this template I receive the message:

The parameter KeyVault Certificate has an invalid value

I haven't been able to find any documentation on this parameter and what value it would be expecting. I'm assuming it's missing from the properties section in the resource. So far anything I've found on the subject only references keyVaultId and keyVaultSecretName.

What am I doing wrong? Is what I'm trying to accomplish even possible?

Improve this question
0

2 Answers 2

Reset to default
1

The parameter KeyVault Certificate has an invalid value

It seems that this issue is not caused by your template. We can refer to this article to check it. From the error message, it shows me that the certification name is incorrect. We can use Get-AzureKeyVaultSecret to get its name. The following is details:

enter image description here

As above screenshot, the value "kvcertificate" is the value we expected.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Jambor, unfortunately that does not seem to be the case. The issue appears to be with certificates that I upload through the portal UI. If I upload the file through a powershell script it works
1

The problem does not appear to be caused by my template, but something with how the certificate was uploaded to the KeyVault through the UI. This article provided me a script to upload the file directly to the KeyVault using powershell.

$pfxFilePath = "F:\KeyVault\PrivateCertificate.pfx" $pwd = "[2+)t^BgfYZ2C0WAu__gw[" $flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $collection.Import($pfxFilePath, $pwd, $flag) $pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12 $clearBytes = $collection.Export($pkcs12ContentType) $fileContentEncoded = [System.Convert]::ToBase64String($clearBytes) $secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force $secretContentType = 'application/x-pkcs12' Set-AzureKeyVaultSecret -VaultName akurmitestvault -Name keyVaultCert -SecretValue $Secret -ContentType $secretContentType # Change the Key Vault name and secret name

Using the Get-AzureKeyVault script from Jambor's answer, I am unable to see any difference between the certificate uploaded in the UI. I even changed the content type of my uploaded certificate from Certificate to application/x-pcks2 and it still did not work. Seems like it might possibly a bug in the UI, or just a difference in how the powershell script handles it.

Improve this answer

2 Comments

I tried this solution and I'm still getting the same error message. I'm trying to use a self signed cert that I created via PS>New-SelfSignedCertificate, but I wouldn't think that would cause an issue.
If you create a certificate directly from key vault in the Portal, make sure you select the PKCS#12 version (not PEM), this answer pointed me in the right direction thanks

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.