Export Azure SSL certificate as pfx file

azure ssl-certificate azure-web-app-service

16,709

You can create a local PFX copy of Azure App Service Certificate using PowerShell.

Provide appropriate values from the following variables and save the script as copyasc.ps1.

Variables:

$appServiceCertificateName = "ascdemo"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "[email protected]"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"

copyasc.ps1:

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

Type the following commands in PowerShell console to execute the script:

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

You can find more details on Azure App Service Team Blog Creating a local PFX copy of App Service Certificate

If you have an App Service Certificate that you would like to use outside of Azure App Service ecosystem, then give this a try and let us know how it goes. If you run into any issues, please let us know on the Stackoverflow or on the Azure App Service forum.

16,709

Author by

Nik

Updated on June 14, 2022

Comments

Nik almost 2 years

I purchased a wild card certificate from azure. It sits right now in the Key Vault. I need to upload it to our other server which hosts one of our other applications for the same domain. There is no option to export the certificate as a .pfx file anywhere in azure portal.

Please help.
LarryBud over 5 years

C'mon guys, make this a one button export.
Tasos K. about 5 years

Steps I needed to run locally: 1. Set-ExecutionPolicy RemoteSigned, 2. Install-Module AzureRM -AllowClobber (not sure -AllowClobber is necessary though), 3. Import-Module AzureRM, 4. Run Dimitry's script. Hope this helps others. When done, consider changing back to your original execution policy for security concerns