I am trying to run the script GetAppConfigSettings.ps1 from Microsoft docs help setting up a Key Vault
The script contains the following
# **********************************************************************************************
# Prep the cert credential data
# **********************************************************************************************
$certificateName = "$applicationName" + "cert"
$myCertThumbprint = (New-SelfSignedCertificate -Type Custom -Subject "$certificateName"-KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Provider "Microsoft Enhanced Cryptographic Provider v1.0" ).Thumbprint
$x509 = (Get-ChildItem -Path cert:\CurrentUser\My\$myCertthumbprint)
$password = Read-Host -Prompt "Please enter the certificate password." -AsSecureString
# Saving the self-signed cert and pfx (private key) in case it's needed later
Export-Certificate -cert $x509 -FilePath ".\$certificateName.cer"
Export-PfxCertificate -Cert $x509 -FilePath ".\$certificateName.pfx" -Password $password
Running the script ( after setting the variables) produces the following error
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Provider type not defined.
0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)
At \\tsclient\E\EShared\Dev\Microsoft.Azure.KeyVault.Samples-2016.11.22
(1)\Microsoft.Azure.KeyVault.Samples\scripts\GetAppConfigSettings.ps1:38 char:22
+ ... umbprint = (New-SelfSignedCertificate -Type Custom -Subject "$certifi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedC
ertificateCommand
[Update]
Microsoft Support advised me to change the provider to "Microsoft Platform Crypto Provider"
However I still get the error.
For Powershell, $PSVersionTable reports 5.1.17134.112
I have Version 5.7.0 of AzureRM installed
Microsoft support helped me out with this line
$myCertThumbprint = (New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My
-subject MyCert -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10)
-Type CodeSigningCert -KeySpec Signature).Thumbprint
The AuthClientId and AuthCertThumbprint values I need for the HelloKeyVault app.config are created.
The AuthClientId displays in the portal as the Application ID and is vissible in the Registered app settings.
To get to it click Azure Active Directory -> App registrations
Then click View all applications
click on the application then settings
To see the Thumbprint doe the same and then click Keys
I can see AuthClientId
Please use this sample to learn how to use Key Vault with DotNet and authenticate to Azure Active Directory with a Service Principal's Certificate
https://github.com/Azure-Samples/key-vault-dotnet-quickstart
Related
I have put my Powershell Script below. I am creating an HTTPS certificate ($httpsk) from a self-signed certificate ($ca). When I run the script, It fails on the "New-IISSiteBinding." Overall, this should be creating 2 certificates (check) and then using one of those certificates
$ca = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My `
-FriendlyName $Name -DnsName $Name `
-KeyusageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature `
-KeyAlgorithm RSA -KeyLength 4096 -NotAfter (Get-Date).AddYears(20)
# Generate HTTPS certificate issued by the self-signed CA
$httpsk = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My `
-FriendlyName "$FriendlyNameHTTPS" `
-DnsName $DnsNameHTTPS `
-KeyAlgorithm RSA -KeyLength 2048 -Signer $ca -NotAfter (Get-Date).AddYears(3)
Write-Warning "Generated a certificate which may be used for the HTTPS binding."
Export-Certificate -FilePath "C:\temp\certificate" -Cert $ca | Out-Null
$thumbprint = $httpsk.thumbprint
$websiteName = "Default Web Site"
New-IISSiteBinding -Name $websiteName -BindingInformation "*:443:$domainName" -CertificateThumbPrint $thumbprint -CertStoreLocation "cert:\LocalMachine\my" -Protocol "https"
The error I get is:
New-IISSiteBinding : The configuration object is read only, because it has been committed by a call to ServerManager.CommitChanges(). If
write access is required, use ServerManager to get a new reference.
At line:1 char:5
+ New-IISSiteBinding -Name $websiteName -BindingInformation "*:443" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-IISSiteBinding], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.IIS.Powershell.Commands.NewIISSiteBindingCommand
I looked around stack overflow, Microsoft, and several third party sites but cannot find anything on this. There was something similar that might be helpful for you to look at. It's with a slightly different problem and it was C# rather than a PowerShell script. Here is the link. What exactly is the problem and how do I fix it? I'm semi-new to IIS. What is it referring to when it says the "configuration object"? is that the certificate, the site, or the binding?
You can check whether your command format error is causing the problem according to this website.
This is for reference: New-IISSiteBinding
Apologies ahead of time if I don't get syntax correct. This is my first pass at certificate creation.
I am attempting to use Powershell to create a root certificate. I am using the following code:
$todaydt = Get-Date
$50years = $todaydt.AddYears(50)
$mypwd = ConvertTo-SecureString -String "*******" -Force -AsPlainText
$rootCert = New-SelfSignedCertificate -Subject 'CN=127.0.0.1' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -notafter $50years
Export-PfxCertificate -Cert $rootCert -FilePath c:\temp\my.pfx -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties -Verbose
When I run it I get: Export-PfxCertificate: Cannot export non-exportable private key.
According to someone else in the same situation they found it to be essentially a permissions issue and solved it by:
"I checked the option "manage private keys" and you just get the
permissions to see - so I added my admin account...."
And then they were able to export. I am not sure what this means though? Anyone have an idea or another answer?
Thanks.
I have a seemingly simple script for importing a PFX into Azure Key Vault. The service principal I am using is set to the Key Vault contributor role and has the access policies Get, List, Update, Create and Import. I am using certificate authentication when connecting the service principal. However, I get a very unhelpful error:
Import-AzKeyVaultCertificate : Access denied.
At line:1 char:1
+ Import-AzKeyVaultCertificate -VaultName $keyVault -Name 'AzureAuth' - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Import-AzKeyVaultCertificate], CryptographicException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.ImportAzureKeyVaultCertificate
My Script:
$PFX = "$env:TEMP\cert-lab.pfx"
$tenantID = 'xxx'
$AppID = 'xxx'
$keyVault = 'LabKV'
$assetName = 'AzureCert'
$EncryptPass = 'PFXpassword123'
## Clear the authentication context
Clear-AzContext -Force
$PFXPass = ConvertTo-SecureString -String $EncryptPass -AsPlainText -Force
$pfxCert = Import-PfxCertificate -FilePath $PFX -CertStoreLocation Cert:\CurrentUser\My -Password $PFXPass -Exportable
$ctx = Connect-AzAccount -ServicePrincipal -Tenant $tenantID -CertificateThumbprint $pfxCert.Thumbprint -ApplicationId $AppID
Import-AzKeyVaultCertificate -VaultName $keyVault -Name $assetName -FilePath $PFX -Password $PFXPass -DefaultProfile $ctx
Interestingly, if I manually import the cert through the console, I can use the exact same code with Get-AzKeyVaultCertificate instead of Import-AzKeyVaultCertificate and successfully retrieve the certificate. This tells me that the Service Principal at least has access to retrieve certificates. I'm still at a loss as to what is causing the Import to fail.
So I ended up buying a support plan and opening a case with Microsoft. Even though I was able to directly import cert-lab.pfx and was able to verify its contents with OpenSSL, for whatever reason, Import-AzKeyVaultCertificate just did not like the file. They had me create a new file by exporting from my CAPI store to cert2.pfx. The import command worked flawlessly with the new file. I shrugged my shoulders, deleted the old file and decided to move on with my life.
I'm trying to add a key to a keyvault using Add-AzKeyVaultKey, but it fails with the message "Invalid provider type specified".
Add-AzKeyVaultKey : Invalid provider type specified.
At line:3 char:1
+ Add-AzKeyVaultKey -VaultName '$KeyVaultName' -Name 'alfalaval-as2-pri ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzKeyVaultKey], CryptographicException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultKey
I can successfully import the certificate (from pfx) to the keyvault, but when importing the key from the same pfx the operation fails.
According to Microsoft document, it should be a pfx file (PEM not supported): Micsosoft, Add-AzKeyVaultKey
I've uploaded a sample dummy keypair here (keypair at filebin) if anyone wants to try it out.
Sample code
#Import certificate used for encryption
$Password = ConvertTo-SecureString -String "abcd1234" -AsPlainText -Force
Import-AzKeyVaultCertificate -VaultName "$KeyVaultName" -Name "as2-demo-certificate" -FilePath 'C:\mypath\as2-demo-cert.pfx' -Password $Password
#Importing key used for decryption
Add-AzKeyVaultKey -VaultName '$KeyVaultName' -Name 'as2-demo-private-key' -Destination 'Software' -KeyFilePath 'C:\mypath\as2-demo-cert.pfx' -KeyFilePassword $Password
Any help is appreciated :)
As Theo pointed out here (read for more details), the solution is to specify the provider when generating our keypair since the Add-AzKeyVaultKey cmdlet only supports the Cryptography Next Generation (CNG, CAPI2) provider.
Click here another great post with even more details.
If you do not specify the provider, the New-SelfSignedCertificate cmdlet defaults to "Microsoft Software Key Storage Provider"
Supported provider: "Microsoft RSA SChannel Cryptographic Provider"
Sample
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -KeyAlgorithm "RSA" -DnsName "test.local" -Subject "test.local" -FriendlyName "test-cng" -provider "Microsoft RSA SChannel Cryptographic Provider" -KeyExportPolicy "Exportable" -NotAfter (Get-Date).AddYears(10)
When exporting this as a pfx, the powershell cmdlet has no problem parsing it.
Would be great if the MS Documentation pointed this out - would have saved me a ton of troubleshooting :)
when i try to create certificate, column master key and column encryption key using the below PS script its works fine in windows 10
Import-Module "SqlServer"
$serverName = "XXX"
$databaseName ="XX"
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security=true"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName]
$cert = New-SelfSignedCertificate -Subject "Cert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation "LocalMachine" -Thumbprint $cert.Thumbprint
$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings
$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName
but getting error in windows server 2012. if i remove the following:
-Subject, -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
and use -DNSName only then it just create column master key and throw error while create column encryption key.
someone please provide me correct syntax which works on Windows server 2012 and create certificate , column master key and column encryption key?
Please refer to Create a self-signed certificate using PowerShell section of this article.
To be used as Always encrypted CMKs, certificates require a specific configuration.
You should be able to create a certificate to be used as CMK using the following commands
New-SelfSignedCertificate is a Windows PowerShell cmdlet that creates a self-signed certificate. The below examples show how to generate a certificate that can be used as a column master key for Always Encrypted.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUser\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
# To create a certificate in the local machine certificate store location you need to run the cmdlet as an administrator.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
This should work with Server 2012, you will have to install makecert utility if it does not exist:
makecert.exe -n "CN=Always Encrypted Certificate - exported" -pe -sr CurrentUser -r -eku 1.3.6.1.5.5.8.2.2,1.3.6.1.4.1.311.10.3.11 -ss my -sky exchange -sp "Microsoft Strong Cryptographic Provider" -sy 1 -len 2048 -a sha256