问题
We bought a certificate via Azure and would like to use it on same VM. We just need .pfx file.
We tried almost everything and we are getting next error:
"You do not have permission to get the service prinicipal information needed to assign a Key Vault to your certificate. Please login with an account which is either the owner of the subscription or an admin of the Active Directory to configure Key Vault settings."
But we have permissions...
回答1:
@Sasha, there are not a lot of details to go on here and I hate to state the obvious given you've tried everything, but the error message is pretty clear - "You do not have permission to get the service principal information needed".
Some things to clarify and check:
- Did you buy an Azure "App Service Certificate"?
- Is the certificate in 'issued' status?
- Are you logged in as the subscription owner or did the owner give you admin access to their subscription? The latter is not good enough, I believe.
- Did you complete the three-step validation process?
If you did all of that, your certificate is now stored in an Azure Key Vault. When you create an Azure Key Vault, there is an advanced access policy option to "Enable Access to Azure Virtual Machines for deployment" (see image). Its help info reads, "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
That said, since you want a .pfx file, below is a sample PowerShell script extracted from MSDN blogs to do just that. Provide appropriate values for the four "$" parameters below and save the script as copyasc.ps1.
$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId
$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""
$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName
$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
Type the following commands in PowerShell console to execute the script:
Powershell –ExecutionPolicy Bypass
.\copyasc.ps1
Once the script is executed, you would see a new file in the current directory called ‘appservicecertificate.pfx’. This is a password protected PFX, the PowerShell console would display the corresponding password.
来源:https://stackoverflow.com/questions/42071549/how-to-import-certificate-from-azure