Using Powershell And Azure Key Vault To Deploy Certificates

Posted on Thu 01 December 2016 in Azure • 2 min read

The steps for this are quite easy after you've actually tinkered with it and hashed out all the gotchas.

  1. Create the Key Vault
  2. Upload your certificate
  3. Deploy the certificate to VMs

So let's get started!

First of all you'll need a Key Vault to put your certificates in and a certificate in the vault:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
PS C:\Users\Olaf> $KeyVaultName = "FancyKeyVaultName"
PS C:\Users\Olaf> $ResourceGroup = "FancyKeyVaultName-Rg"
PS C:\Users\Olaf> $Location = "westeurope"
PS C:\Users\Olaf> $CertName = "FancyNameForTheCertificate"
PS C:\Users\Olaf> $CertPassword = ConverTo-SecureString -String "qwerty1234" -Force -AsPlainText
PS C:\Users\Olaf> $CertPath = "FancyCertificateName.pfx"


PS C:\Users\Olaf> New-AzureRmResourceGroup -Name $ResourceGroup -Location $Location
PS C:\Users\Olaf> New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroup -Location $Location -sku standard -EnabledForDeployment

PS C:\Users\Olaf> Import-AzureKeyVaultCertificate -VaultName $KeyVaultName -Name $CertName -FilePath $CertPath -Password $CertPassword

Name        : FancyNameForTheCertificate
Certificate : [Subject]
                CN=*.fancyname.com

              [Issuer]
                CN=Gator Class 2 CA 2, O=Gator-2345676543, C=COM

              [Serial Number]
                08235635480756

            [Not Before]
              27.10.2016 13.19.15

            [Not After]
              27.10.2019 23.59.00

            [Thumbprint]
              2k35jhk644526jh4ly5j

Id          : https://fancykeyvaultname.vault.azure.net:443/certificates/FancyNameForTheCertificate/khjk234234k4h2423kh235l23
KeyId       : https://fancykeyvaultname.vault.azure.net:443/keys/FancyNameForTheCertificate/khjk234234k4h2423kh235l23
SecretId    : https://fancykeyvaultname.vault.azure.net:443/secrets/FancyNameForTheCertificate/khjk234234k4h2423kh235l23
Thumbprint  : 2k35jhk644526jh4ly5j
Tags        :
Enabled     : True
Created     : 01.12.2016 12.35.09
Updated     : 01.12.2016 12.35.09


PS C:\Users\Olaf>

Now that we've created the vault and uploaded a certificate we can proceed with the deployment.

Fetch the VM you want to deploy to:

1
PS C:\Users\Olaf> $VirtualMachine = Get-AzureRmVM -Name "FancyVm" -ResourceGroupName "FancyVmGroup"

Then you can proceed the the good stuff:

1
2
3
4
PS C:\Users\Olaf> $SourceVaultId = "/subscriptions/56g8fsd-2de6-4179-8ab1-365da4211af4/resourceGroups/vault/providers/Microsoft.KeyVault/vaults/keyvault"
PS C:\Users\Olaf> $CertificateStore = "My"
PS C:\Users\Olaf> $CertificateUrl = "https://fancykeyvaultname.vault.azure.net:443/secrets/FancyNameForTheCertificate/khjk234234k4h2423kh235l23"
PS C:\Users\Olaf> Add-AzureRmVMSecret -VM $VirtualMachine -SourceVaultId $SourceVaultId -CertificateStore $CertificateStore -CertificateUrl $CertificateUrl

Et voilà! You've now pushed your certificate to the VM of choice. The sweet part is that you can easily use this in an automation setting so that you push you certificate to a bunch of VMs.

If you get errors while importing, try to set the import policy on the vault using Set-AzureRmKeyVaultAccessPolicy. This was the case for me when I tried importing the first time. And if you receive errors while trying to apply the certificate to VMs your probably going to have to forcibly remove the Monitor extension and retry the Add-AzureRmVmSecret action.

Hope this can help someone out :)

powershell azure key vault certificates