azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

[BUG]Failed to download PEM certificate from azure.keyvault with failure "The provided key does not match the public key for this certificate"

Open cdlliuy opened this issue 2 months ago • 1 comments

Library name and version

Azure.Security.KeyVault.Certificates 4.6.0; Azure.Core 1.40.0; Azure.Identity 1.11.4

Describe the bug

when using CertifcatesClient to download certificates client.DownloadCertificateAsync(certname) for a PEM format cert in Azure keyvault, I got exception:


System.Reflection.TargetInvocationException
  HResult=0x80131604
  Message=Exception has been thrown by the target of an invocation.
  Source=System.Private.CoreLib
  StackTrace:
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)
   at Azure.Core.PemReader.CreateRsaCertificate(Byte[] cer, Byte[] key, X509KeyStorageFlags keyStorageFlags)
   at Azure.Core.PemReader.LoadCertificate(ReadOnlySpan`1 data, Byte[] cer, KeyType keyType, Boolean allowCertificateOnly, X509KeyStorageFlags keyStorageFlags)
   at Azure.Security.KeyVault.Certificates.CertificateClient.<DownloadCertificateAsync>d__19.MoveNext()
   at Azure.Security.KeyVault.Certificates.CertificateClient.<DownloadCertificateAsync>d__18.MoveNext()
 ..

  This exception was originally thrown at this call stack:
    [External Code]

Inner Exception 1:
ArgumentException: The provided key does not match the public key for this certificate. (Parameter 'privateKey')

For the cert itself, it is automated generated by Azure Keyvault When generating the cert with PKCS#12, the DownloadCertificate function works correctly. But when generating with PEM by just changing the content type to PME in below, the same code failed. image

I read the code of DownloadCertificate . It looks like to have specific handling for PEM format already.
Anything wrong here? __

Expected behavior

see above description

Actual behavior

see above description

Reproduction Steps

  1. register a domain in One-Cert system with private AME issuer only
  2. generate a cert for this domain with PEM format
  3. do DownloadCertificate func

Environment

No response

cdlliuy avatar Jun 16 '24 04:06 cdlliuy