Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to extract myCertificate.p12 file into pem via suggested commands in README #15946

Closed
2 of 4 tasks
jcroma opened this issue Jun 24, 2021 · 4 comments
Closed
2 of 4 tasks
Assignees
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@jcroma
Copy link

jcroma commented Jun 24, 2021

  • Package Name:
  • "@azure/keyvault-secrets"
  • Package Version:
  • : "^4.2.0"
  • Operating system:
  • Win 10 64 bit
  • nodejs
    • version:
    • v12.18.2
  • [-] browser
    • name/version:
  • [-] typescript
    • version:
  • Is the bug related to documentation in

Describe the bug
While I'm trying to extract key and cert from *.p12 file I'm getting error:
2776:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openssl-1.1.1k/crypto/asn1/tasn_dec.c:1149:
2776:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../openssl-1.1.1k/crypto/asn1/tasn_dec.c:309:Type=PKCS12

To Reproduce
1.Create certificate and key files: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certout.pem
2. Move them to one file: cat certout.pem key.pem > upload.pem
3. Add upload.pem to keyvault certificates via CLI:
az keyvault certificate import --file upload.pem --name cacl --vault-name *** vault-name marked as *** since I'm not sure if it may be sensitive data for company
4. Certificate is present on keyvault -> certificates
5. As npm manual says:

// Using the same credential object we used before,
// and the same keyVaultUrl,
// let's create a SecretClient
const secretClient = new SecretClient(keyVaultUrl, credential);

// Assuming you've already created a Key Vault certificate,
// and that certificateName contains the name of your certificate
const certificateSecret = await secretClient.getSecret(certificateName);

// Here we can find both the private key and the public certificate, in PKCS 12 format:
const PKCS12Certificate = certificateSecret.value!;

// You can write this into a file:
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);
  1. Got file and execute command as in description:
openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys

got error described in bug section

Expected behavior
As documentation says I should get "the public certificate in PEM format"

Additional context

  1. If certs or p12 file content is required I can add it
  2. I'm not sure if section readme applies to npm documentation (https://www.npmjs.com/package/@azure/keyvault-certificates#getting-the-full-information-of-a-certificate)
  3. I'm able to get cert and key via CLI so I assuming there is nothing wrong with cert/key

@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 24, 2021
@maorleger maorleger self-assigned this Jun 24, 2021
@maorleger maorleger added Client This issue points to a problem in the data-plane of the library. KeyVault labels Jun 24, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jun 24, 2021
@maorleger
Copy link
Member

Hi @jcroma, thanks for creating this issue! I'll take a look shortly, and will let you know what I find

@maorleger
Copy link
Member

maorleger commented Jun 24, 2021

@jcroma looking into this, because you are importing a PEM certificate, when you download it the certificate will already be in PEM format so there will be no need to convert it.

The instructions in the README refer to certificates which were created using keyvault (which by default uses pfx certificates) rather than imported into keyvault already in PEM format.

You can verify this for me by opening mycertificate.p12 in a text editor.

If you see something like

-----BEGIN PRIVATE KEY-----
<some values>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE----
<some values>
-----END CERTIFICATE----

It is already a PEM certificate. You may not see both private and certificate sections.

If you see something else - let me know! I'll be interested in understanding your scenario better.

  • You may see a base64 encoded string which needs to be decoded using something like base64 -d cert_name.p12 > decoded.p12
  • You may see a ton of �H�� in which case you are dealing with pfx / pkcs certificate (a binary file) and we should talk further 😄

Hope this helps! Feel free to reach out with any updates

@maorleger maorleger added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Jun 24, 2021
@jcroma
Copy link
Author

jcroma commented Jun 25, 2021

Hi @maorleger thanks for fast answer.
You're right in this case I got:

-----BEGIN PRIVATE KEY-----
<some values>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE----
<some values>
-----END CERTIFICATE----

in .p12 file. I thought this command mayby separate them.
I have also one more question (because this cert I was creating on purpose with azure doc)
Let me also describe steps what I'm doing:

  1. Generate ca.key: openssl genrsa -des3 -out ca.key 2048
  2. Generate ca.crt: openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
  3. Combine them into pfx: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt
  4. Uploaded via CLI this pfx (visible on keyvaults)
  5. After doing same code I got same error but data in p12 file looks different, it is like random string (something you described in bullet two.
    I thought mayby decoding from base64 will help but I'm getting ton of ��+���!� after decoding.
    Is there anything wrong with my steps ?

@ghost ghost added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Jun 25, 2021
@maorleger
Copy link
Member

Good morning! I tried the steps you listed but was successful in creating, importing, exporting, and decoding the certificate.

For context, here's what I did:

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt
az keyvault certificate import --file ca.pfx --name capfx --vault-name <vault name> --password <password used to create the key>

At that point, I was able to run the following code snippet successfully:

const { SecretClient } = require("@azure/keyvault-secrets");
const { DefaultAzureCredential } = require("@azure/identity");
const dotenv = require("dotenv");
const fs = require("fs");
dotenv.config();

async function main() {
  const secretClient = new SecretClient(process.env.KEYVAULT_URI!, new DefaultAzureCredential());
  const certificateSecret = await secretClient.getSecret("capfx");

  const PKCS12Certificate = certificateSecret.value!;

  fs.writeFileSync("capfx.pfx", PKCS12Certificate);
  console.log("downloaded to capfx.pfx");
}

main()
  .then(() => console.log("done"))
  .catch(console.error);

Finally, now that I have the pfx file I can see that it is base64 encoded. But the following steps worked for me:

base64 -d capfx.pfx > capfxd.pfx
openssl pkcs12 -in capfxd.pfx -out capfxd.crt.pem -clcerts -nokeys

And successfully view the certificate in pem format.

Given that I verified the steps worked successfully, I am going to close this issue. I hope the snippet above helps! Unfortunately I am far from a openssl expert, but I can do my best to help.

If you have a complete repro of the issue please send me exact steps along with minimal repro and I can investigate further.

Thank you for reaching out - hope the above is helpful!

@maorleger maorleger removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jun 28, 2021
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this issue Sep 30, 2021
Fix S360 bugs for swagger FSPG 2020-02-14-preview, 2021-06-01-preview and 2021-06-01 APIs (Azure#15946)

* Changed FSPG RestartParameter.failoverMode from string to enum for API 2021-06-01, 2021-06-01-preview, and 2021-06-15-privatepreview

* Change enum first letter to lower case

* Change to upper case

* Fix S360 bugs for swagger FSPG 2020-02-14-preview, 2021-06-01-preview and 2021-06-01 APIs
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this issue Oct 6, 2021
Dev sql microsoft.sql 2021 05 01 preview release (Azure#16289)

* add base for Microsoft.sql

* Update Readme.md

* update version in swagger example files

* remove ss

* update swagger files

* update readme.md

* add missing json files

* update custom-words.txt to address the spelling check

* remove 201 define in ServerUpdate.json

* Sync sql 2021 05 01 with main branch (Azure#16236)

* Update comment.yml for publish pr (Azure#16166)

* Update comment.yml

* Update comment.yml

* Bump dependencies (Azure#16170)

* bump avocado

* bump mocha

* remove submodule (Azure#16171)

* add azure-resource-manager-schema to servicelinker (Azure#16176)

Co-authored-by: Nan Jiang <naji@microsoft.com>

* Update pr assignment config (Azure#16175)

* [Synapse] - fix scheme for Artifacts and update readme to include KQL scripts for October release (Azure#16035)

* [Synapse] - fix scheme for Notebook, Spark Job definition and SQL script

* Update dataset, linked service and pipeline

* Update release tag for october release

* Correct type of result limit

* Add arguments for SynapseSparkJobActivityTypeProperties

Co-authored-by: Dongwei Wang <dongwwa@microsoft.com>

* fix (Azure#16164)

Merging the change to have accurate Swagger

* Remove requirement of identity field in the request for TURN. (Azure#15966)

* Remove requirement of identity field in the request.

* Update PR

* Address comment

* change api version in readme for sdk release (Azure#16187)

* Add blockchain to latest profile

* Add additional types

* api version change

Co-authored-by: Mark Cowlishaw <markcowl@microsoft.com>
Co-authored-by: Ping Zhu <pizh@Pings-MacBook-Pro.local>

* [Search] Rename types for better SDK code (Azure#16039)

* Rename types for better SDK code

* Rename Speller and Captions search options

* Reorder parameters to have consistency across APIs

* Remove 'SearchIndexer' prefix from projection selectors

Remove 'global' prefix from default flags on custom entities

* Change enum name AdlsGen2->AzureDataLakeStorageGen2

Change property name storageContainer->storageContainerName

* move additional .NET SDK renames to the REST spec

* Revert changes in KnowledgeStore which has GAed

* Revert changes in CustomEntityLookupSkill which has GAed

* Revert changes in SIKSBlobProjectionSelector which has GAed

* Revert changes in SearchIndexerDataSourceType which has GAed

* Rename ignoreResetRequirements->skipIndexerResetRequirementForCache

* fix validStreamingUnits (Azure#16143)

Co-authored-by: Roslyn Lu <roslu@microsoft.com>

* Fix schemas readme files (Azure#16207)

* Fix schemas readme files

* fix ref

* add resourcemanager in module-name (Azure#16206)

* add resourcemanager in module-name

* add go track2 repo in readme.md

* fix

* Minor description update for createorupdate & update slot (Azure#15457)

* add scmMinTlsVersion

* modify description for createorupdate & update slot for all API versions

Co-authored-by: Edwin Diaz <eddiazme@microsoft.com>

* [Hub Generated] Review request for Microsoft.Security to add version preview/2021-08-01-preview (Azure#16096)

* Adds base for updating Microsoft.Security from version stable/2021-07-01 to version 2021-08-01-preview

* Updates readme

* Updates API version in new specs and examples

* First pass at Microsoft.Security/standards for review/preview

* Addressing Round-1 feedback, adding missing descriptions and changing scoping to match ProxyResource type

* First pass for Microsoft.Security\standardComponents

* Changes to fix a typo in an example spec

* Added Microsoft.Security/standardAssignments

* Fix naming convention issue

* Removed types based on Hila's feedback

* Changes to data model for both API calls

* Fix example errors and typos

* Add systemData to Microsoft.Security/standards

* Changes to fix systemData linting

* un-nest systemData fields in examples

* More systemData placement

* Naming convention name to assignments from standardAssignment

* Additional example added

* Changes to address descriptive comments on field types

* Add systemData readOnly

* prettier-fix against examples

* Cleaned types to ref standard v2 common-types entry similar to securityForIoT

* Re-added v2 folder?

* Missed a change here?

* Cleanup of v2 type completely, updated readme.md

* Adds suppression to readme

* Adds suppression to readme

* Change modification to suppress operations linting

Co-authored-by: Adam Holliday <adamho@microsoft.com>

* Yifanzhou/api version change (Azure#16191)

* remove Catalog

* update 2021-05-01-preview

* delete 2021-09-01

* Update readme.md

* Update purviewcatalog.json

* change read-only property (Azure#16209)

Co-authored-by: Parv Saxena <pasaxena@microsoft.com>

* Update account.json - make CollectionReferece type writable (Azure#16208)

* Update account.json

Updating the CollectionReference to be writeable to unblock the customers.

* Update account.json

Need the default set in the client SDK

* Fixed an event name typo in its description. (Azure#16227)

* Introduce new API version for Microsoft.ProviderHub 2021-09-01-preview (Azure#15723)

* Introduce new API version for Microsoft.ProviderHub 2021-09-01-preview

* Add PrivateResourceProviderConfigurations

* Add PrivateRP examples

* Fix enum type.

* Fix enum again

* Prettier

* Fix prettier error

* Add readme.md + prettier

* Fix

* Fix avocado error

* Modify interface

* Fix issue

* Make it private preview

* Remove private RP changes

* Update SKU settings

Co-authored-by: REDMOND\lakshv <lakshv@microsoft.com>
Co-authored-by: He Huang <47040595+hjhhh3000vitae@users.noreply.github.com>

* fluidrelay_readme_config (Azure#16192)

fluidrelay_readme_config

* Add community gallery proxy resource (Azure#16043)

* [Hub Generated] Public private branch 'dev-storagecache-Microsoft.StorageCache-2021-09-01' (Azure#16152)

* Adds base for updating Microsoft.StorageCache from version stable/2021-05-01 to version 2021-09-01

* Updates readme

* Updates API version in new specs and examples

* 2021-09-01 API

* Fix LintDiff

Co-authored-by: rebecca337 <80353400+rebecca337@users.noreply.github.com>
Co-authored-by: Rebecca Dupuis <rdupuis@microsoft.com>

* Fix S360 bugs for swagger FSPG 2020-02-14-preview, 2021-06-01-preview and 2021-06-01 APIs (Azure#15946)

* Changed FSPG RestartParameter.failoverMode from string to enum for API 2021-06-01, 2021-06-01-preview, and 2021-06-15-privatepreview

* Change enum first letter to lower case

* Change to upper case

* Fix S360 bugs for swagger FSPG 2020-02-14-preview, 2021-06-01-preview and 2021-06-01 APIs

* Add email reminder when PR makes changes in Synapse (Azure#16116)

* add email reminder to synapse

* fix for comment

* ServiceBus add batch tag (Azure#16229)

* add code owner to synapse (Azure#16230)

* [Datafactory] Power Query model changes for multiple queries (Azure#16158)

* [Synapse] Add release tag for management SDK Oct. release (Azure#16213)

* update release tag

* fix for avocado

Co-authored-by: Tianen <347142915@qq.com>
Co-authored-by: Zhenglai Zhang <darinzh@microsoft.com>
Co-authored-by: Lei Ni <7233663+leni-msft@users.noreply.github.com>
Co-authored-by: najian <jiangnan8924@gmail.com>
Co-authored-by: Nan Jiang <naji@microsoft.com>
Co-authored-by: Ray Chen <raychen@microsoft.com>
Co-authored-by: Dongwei Wang <bean0idear@163.com>
Co-authored-by: Dongwei Wang <dongwwa@microsoft.com>
Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com>
Co-authored-by: AriZavala2 <77034370+AriZavala2@users.noreply.github.com>
Co-authored-by: PingZhu2232 <36140352+PingZhu2232@users.noreply.github.com>
Co-authored-by: Mark Cowlishaw <markcowl@microsoft.com>
Co-authored-by: Ping Zhu <pizh@Pings-MacBook-Pro.local>
Co-authored-by: Mohit Chakraborty <8271806+Mohit-Chakraborty@users.noreply.github.com>
Co-authored-by: Roslyn Lu <roslyn.lu@gmail.com>
Co-authored-by: Roslyn Lu <roslu@microsoft.com>
Co-authored-by: JiahuiPeng <46921893+804873052@users.noreply.github.com>
Co-authored-by: edwin-msft <71858592+edwin-msft@users.noreply.github.com>
Co-authored-by: Edwin Diaz <eddiazme@microsoft.com>
Co-authored-by: dochollidayxx <dochollidayxx@gmail.com>
Co-authored-by: Adam Holliday <adamho@microsoft.com>
Co-authored-by: yifan-zhou922 <78060542+yifan-zhou922@users.noreply.github.com>
Co-authored-by: Parv Saxena <psaxena6@jhu.edu>
Co-authored-by: Parv Saxena <pasaxena@microsoft.com>
Co-authored-by: hvermis <hvermis@microsoft.com>
Co-authored-by: xuepingd <75347475+xuepingd@users.noreply.github.com>
Co-authored-by: laxmankumar12 <vlk_laxman@yahoo.com>
Co-authored-by: REDMOND\lakshv <lakshv@microsoft.com>
Co-authored-by: He Huang <47040595+hjhhh3000vitae@users.noreply.github.com>
Co-authored-by: Zed Lei <59104634+RAY-316@users.noreply.github.com>
Co-authored-by: kangsun-ctrl <69279251+kangsun-ctrl@users.noreply.github.com>
Co-authored-by: brpanask <64860651+brpanask@users.noreply.github.com>
Co-authored-by: rebecca337 <80353400+rebecca337@users.noreply.github.com>
Co-authored-by: Rebecca Dupuis <rdupuis@microsoft.com>
Co-authored-by: xunsun-commits <84804232+xunsun-commits@users.noreply.github.com>
Co-authored-by: Wan Yang <wanyang@microsoft.com>
Co-authored-by: soma-ms <84877933+soma-ms@users.noreply.github.com>

* remove blank line

* address comments

* address the description comment

* update the swagger

* remove ManagedInstances_ListOutboundNetworkDependenciesByManagedInstance

* Update from microsoft.sql 2021-05-01-preview to base branch (Azure#16184)

* Update comment.yml for publish pr (Azure#16166)

* Update comment.yml

* Update comment.yml

* Bump dependencies (Azure#16170)

* bump avocado

* bump mocha

* remove submodule (Azure#16171)

* add azure-resource-manager-schema to servicelinker (Azure#16176)

Co-authored-by: Nan Jiang <naji@microsoft.com>

* Update pr assignment config (Azure#16175)

* [Synapse] - fix scheme for Artifacts and update readme to include KQL scripts for October release (Azure#16035)

* [Synapse] - fix scheme for Notebook, Spark Job definition and SQL script

* Update dataset, linked service and pipeline

* Update release tag for october release

* Correct type of result limit

* Add arguments for SynapseSparkJobActivityTypeProperties

Co-authored-by: Dongwei Wang <dongwwa@microsoft.com>

* fix (Azure#16164)

Merging the change to have accurate Swagger

* update swagger files

* update readme.md

* add missing json files

* update custom-words.txt to address the spelling check

* remove 201 define in ServerUpdate.json

* remove blank line

* address comments

* address the description comment

* update the swagger

* remove ManagedInstances_ListOutboundNetworkDependenciesByManagedInstance

Co-authored-by: Tianen <347142915@qq.com>
Co-authored-by: Zhenglai Zhang <darinzh@microsoft.com>
Co-authored-by: Lei Ni <7233663+leni-msft@users.noreply.github.com>
Co-authored-by: najian <jiangnan8924@gmail.com>
Co-authored-by: Nan Jiang <naji@microsoft.com>
Co-authored-by: Ray Chen <raychen@microsoft.com>
Co-authored-by: Dongwei Wang <bean0idear@163.com>
Co-authored-by: Dongwei Wang <dongwwa@microsoft.com>
Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com>

Co-authored-by: Tianen <347142915@qq.com>
Co-authored-by: Zhenglai Zhang <darinzh@microsoft.com>
Co-authored-by: Lei Ni <7233663+leni-msft@users.noreply.github.com>
Co-authored-by: najian <jiangnan8924@gmail.com>
Co-authored-by: Nan Jiang <naji@microsoft.com>
Co-authored-by: Ray Chen <raychen@microsoft.com>
Co-authored-by: Dongwei Wang <bean0idear@163.com>
Co-authored-by: Dongwei Wang <dongwwa@microsoft.com>
Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com>
Co-authored-by: AriZavala2 <77034370+AriZavala2@users.noreply.github.com>
Co-authored-by: PingZhu2232 <36140352+PingZhu2232@users.noreply.github.com>
Co-authored-by: Mark Cowlishaw <markcowl@microsoft.com>
Co-authored-by: Ping Zhu <pizh@Pings-MacBook-Pro.local>
Co-authored-by: Mohit Chakraborty <8271806+Mohit-Chakraborty@users.noreply.github.com>
Co-authored-by: Roslyn Lu <roslyn.lu@gmail.com>
Co-authored-by: Roslyn Lu <roslu@microsoft.com>
Co-authored-by: JiahuiPeng <46921893+804873052@users.noreply.github.com>
Co-authored-by: edwin-msft <71858592+edwin-msft@users.noreply.github.com>
Co-authored-by: Edwin Diaz <eddiazme@microsoft.com>
Co-authored-by: dochollidayxx <dochollidayxx@gmail.com>
Co-authored-by: Adam Holliday <adamho@microsoft.com>
Co-authored-by: yifan-zhou922 <78060542+yifan-zhou922@users.noreply.github.com>
Co-authored-by: Parv Saxena <psaxena6@jhu.edu>
Co-authored-by: Parv Saxena <pasaxena@microsoft.com>
Co-authored-by: hvermis <hvermis@microsoft.com>
Co-authored-by: xuepingd <75347475+xuepingd@users.noreply.github.com>
Co-authored-by: laxmankumar12 <vlk_laxman@yahoo.com>
Co-authored-by: REDMOND\lakshv <lakshv@microsoft.com>
Co-authored-by: He Huang <47040595+hjhhh3000vitae@users.noreply.github.com>
Co-authored-by: Zed Lei <59104634+RAY-316@users.noreply.github.com>
Co-authored-by: kangsun-ctrl <69279251+kangsun-ctrl@users.noreply.github.com>
Co-authored-by: brpanask <64860651+brpanask@users.noreply.github.com>
Co-authored-by: rebecca337 <80353400+rebecca337@users.noreply.github.com>
Co-authored-by: Rebecca Dupuis <rdupuis@microsoft.com>
Co-authored-by: xunsun-commits <84804232+xunsun-commits@users.noreply.github.com>
Co-authored-by: Wan Yang <wanyang@microsoft.com>
Co-authored-by: soma-ms <84877933+soma-ms@users.noreply.github.com>
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Development

No branches or pull requests

2 participants