azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard
verified publisher icon Azure

Az >12.1.0 - Az.KeyVault - Import-AzKeyVaultCertificate - Import of .p7b files has been broken

Open nickwb opened this issue 1 year ago • 7 comments

Description

Hi @BethanyZhou,

There appears to be a regression in relation to this PR: https://github.com/Azure/azure-powershell/pull/25333, and this issue: https://github.com/Azure/azure-powershell/issues/24323

Specifically, the Az.KeyVault module previously supported certificate import, via Import-AzKeyVaultCertificate, of a PKCS7 .p7b file.

However, the new code in ImportAzureKeyVaultCertificate.GetEnumerableBytes seems to assume PEM format, as it is expecting the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, which are not present in PKCS7. Instead, -----BEGIN PKCS7----- and -----END PKCS7----- are expected.

Issue script & Debug output

Import-AzKeyVaultCertificate -VaultName somevault -Name somecert -FilePath somefile.p7b

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Ubuntu 22.04.4 LTS
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Using the Github Azure/powershell@v1 action:

{
  "Success": "true",
  "AzVersion": "12.1.0"
}

Error output

Import-AzKeyVaultCertificate: /path/to.ps1:136
Line |
 136 |      Import-AzKeyVaultCertificate -VaultName $Vault -Name $($PSKeyVaul …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | X5C must have at least one valid item  Status: 400 (Bad Request)
     | ErrorCode: BadParameter  Content:
     | {"error":{"code":"BadParameter","message":"X5C must have at least one
     | valid item\r\n"}}  Headers: Cache-Control: no-cache Pragma: no-cache
     | x-ms-keyvault-region: australiaeast x-ms-client-request-id:
     | 19237a88-00ac-485a-b9ed-0c1a483c487f x-ms-request-id:
     | 42fa87c0-9848-4d06-8209-60a0fa130f38 x-ms-keyvault-service-version:
     | 1.9.1652.1 x-ms-keyvault-network-info:
     | conn_type=Ipv4;addr=172.177.75.81;act_addr_fam=InterNetwork;
     | X-Content-Type-Options: REDACTED Strict-Transport-Security: REDACTED
     | Date: Mon, 19 Aug 2024 01:28:45 GMT Content-Length: 87 Content-Type:
     | application/json; charset=utf-8 Expires: -1

nickwb avatar Aug 19 '24 02:08 nickwb

Hi @nickwb, thanks for reporting this. Tracking this issue now.

BethanyZhou avatar Aug 19 '24 02:08 BethanyZhou

Hi @nickwb,

  • Did your p7b file contain private keys? If no, Import-AzKeyVaultCertificate will consider this operation as a merge operation. And this regex is used only for merge operation, could you confirm is it a merge operation first?
  • Could you provide a p7b sample file for debugging purpose?

BethanyZhou avatar Aug 22 '24 02:08 BethanyZhou

Hi @BethanyZhou,

No, we are using public keys/certs only. No private key material.

I believe it is considered a merge, because the private key is already in KeyVault, but the signed certificates are not.

Our process is:

  1. Use KeyVault to generate the key-pair
  2. Use KeyVault to generate a certificate signing request
  3. Sign the certificate using ACME protocol (letsencrypt)
  4. Merge signed certificate back to KeyVault, including its full trust chain

We started using .p7b because Import-AzKeyVaultCertificate only supported single certificates when importing from PEM, rather than the entire trust chain. When we hit this issue originally, Microsoft support advised us to use .p7b.

As an aside, I am interested if it is now possible to import multiple certificates as PEM in a single file?

I have a test certificate .p7b you can use that has been signed using the process. Is there a way I can send it to you without posting it here publicly? I don't want to broadcast which domains I'm in control of.

nickwb avatar Aug 22 '24 05:08 nickwb

Hi @nickwb, Import-AzKeyVaultCertificate has only supported to merge multiple certificates as PEM in single file now. That's why we raised the PR you mentioned in the description section.

Please try to use PEM file to work around this issue. And let me know if this way works for you. We need to discuss with Key Vault team to decide if we need to support p7b file for merge operation.

Notice that do not use old Az.KeyVault to work around this issue because the content sent to service is read in wrong way. The certificate should not work even no error is thrown per my understanding.

BethanyZhou avatar Aug 22 '24 06:08 BethanyZhou

Hi @BethanyZhou - yes, we will try with PEM, I will let you know how it goes.

I will note that .p7b is still working correctly in Az 12.0.0 - We have temporarily pinned our existing automation to this version, and it is working currently.

nickwb avatar Aug 22 '24 07:08 nickwb

Hi @nickwb, Import-AzKeyVaultCertificate has only supported to merge multiple certificates as PEM in single file now. That's why we raised the PR you mentioned in the description section.

Please try to use PEM file to work around this issue. And let me know if this way works for you. We need to discuss with Key Vault team to decide if we need to support p7b file for merge operation.

Notice that do not use old Az.KeyVault to work around this issue because the content sent to service is read in wrong way. The certificate should not work even no error is thrown per my understanding.

If p7b is no longer used how will people merge the full chain? According to Microsoft's own documentation, only .p7b files will merge the full chain certificate.

https://learn.microsoft.com/en-us/azure/key-vault/certificates/create-certificate-signing-request?tabs=azure-portal#faqs

Elsewhere it also explicitly states that P7B (PKCS#7) formats are supported for merge CSR. So, is the documentation wrong, or is this a bug?

https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios#formats-of-merge-csr-we-support

js10ah avatar Feb 12 '25 15:02 js10ah

Hi @BethanyZhou,

I finally got around to resolving this issue on my end. Sorry for the long delay.

Hear are my findings, that are accurate as of Az 14.1.0.

  • The use of .p7b files is indeed still broken, but I have a suitable workaround:
  • Use the latest Import-AzKeyVaultCertificate, you can provide it with a PEM file that contains multiple certificates.
  • If unsure, your file should contain multiple -----BEGIN CERTIFICATE-----, -----END CERTIFICATE----- blocks, one for each certificate.
  • Do not use .pem as a file extension. Use anything else, .crt for example. There is some weird logic that will prevent Import-AzKeyVaultCertificate from doing a merge operation if the extension is .pem.
  • Some older versions of the Az.KeyVault modules are still working correctly, but I believe they are using an older (pre api-version=7.4) version of the REST API. As best as I can tell, the new API simply does not support PKCS7.

Just to clarify my specific scenario: I am re-issuing certificates (i.e., new expiry dates) without changing the key material. So I specifically need Import-AzKeyVaultCertificate to perform a merge and not an import (as I am not supplying key material in my PEM file).

As @js10ah points out, the documentation still mentions .p7b, which is not correct for the latest version of the REST API. (CC: @msmbaldwin - From the Git history it looks like you do some of the maintenance of the documentation this space)

nickwb avatar Jun 03 '25 07:06 nickwb