Unable to extract myCertificate.p12 file into pem via suggested commands in README

[jcroma]

• Package Name:
• "@azure/keyvault-secrets"
• Package Version:
• : "^4.2.0"
• Operating system:
• Win 10 64 bit
• nodejs
  • version:
  • v12.18.2
• [-] browser
  • name/version:
• [-] typescript
  • version:
• Is the bug related to documentation in
  • README.md
  • source code documentation
  • SDK API docs on https://docs.microsoft.com

Describe the bug
While I'm trying to extract key and cert from *.p12 file I'm getting error:
2776:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openssl-1.1.1k/crypto/asn1/tasn_dec.c:1149:
2776:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../openssl-1.1.1k/crypto/asn1/tasn_dec.c:309:Type=PKCS12

To Reproduce
1.Create certificate and key files: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certout.pem
2. Move them to one file: cat certout.pem key.pem > upload.pem
3. Add upload.pem to keyvault certificates via CLI:
az keyvault certificate import --file upload.pem --name cacl --vault-name *** vault-name marked as *** since I'm not sure if it may be sensitive data for company
4. Certificate is present on keyvault -> certificates
5. As npm manual says:

// Using the same credential object we used before,
// and the same keyVaultUrl,
// let's create a SecretClient
const secretClient = new SecretClient(keyVaultUrl, credential);

// Assuming you've already created a Key Vault certificate,
// and that certificateName contains the name of your certificate
const certificateSecret = await secretClient.getSecret(certificateName);

// Here we can find both the private key and the public certificate, in PKCS 12 format:
const PKCS12Certificate = certificateSecret.value!;

// You can write this into a file:
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);

6. Got file and execute command as in description:

openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys

got error described in bug section

Expected behavior
As documentation says I should get "the public certificate in PEM format"

Additional context

1. If certs or p12 file content is required I can add it
2. I'm not sure if section readme applies to npm documentation (https://www.npmjs.com/package/@azure/keyvault-certificates#getting-the-full-information-of-a-certificate)

3. I'm able to get cert and key via CLI so I assuming there is nothing wrong with cert/key

[maorleger]

Hi @jcroma, thanks for creating this issue! I'll take a look shortly, and will let you know what I find

[maorleger]

@jcroma looking into this, because you are importing a PEM certificate, when you download it the certificate will already be in PEM format so there will be no need to convert it.

The instructions in the README refer to certificates which were created using keyvault (which by default uses pfx certificates) rather than imported into keyvault already in PEM format.

You can verify this for me by opening mycertificate.p12 in a text editor.

If you see something like

-----BEGIN PRIVATE KEY-----
<some values>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE----
<some values>
-----END CERTIFICATE----

It is already a PEM certificate. You may not see both private and certificate sections.

If you see something else - let me know! I'll be interested in understanding your scenario better.

• You may see a base64 encoded string which needs to be decoded using something like base64 -d cert_name.p12 > decoded.p12
• You may see a ton of �H�� in which case you are dealing with pfx / pkcs certificate (a binary file) and we should talk further 😄

Hope this helps! Feel free to reach out with any updates

[jcroma]

Hi @maorleger thanks for fast answer.
You're right in this case I got:

-----BEGIN PRIVATE KEY-----
<some values>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE----
<some values>
-----END CERTIFICATE----

in .p12 file. I thought this command mayby separate them.
I have also one more question (because this cert I was creating on purpose with azure doc)
Let me also describe steps what I'm doing:

1. Generate ca.key: openssl genrsa -des3 -out ca.key 2048
2. Generate ca.crt: openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
3. Combine them into pfx: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt
4. Uploaded via CLI this pfx (visible on keyvaults)
5. After doing same code I got same error but data in p12 file looks different, it is like random string (something you described in bullet two.
   I thought mayby decoding from base64 will help but I'm getting ton of ��+���!� after decoding.
   Is there anything wrong with my steps ?

[maorleger]

Good morning! I tried the steps you listed but was successful in creating, importing, exporting, and decoding the certificate.

For context, here's what I did:

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt
az keyvault certificate import --file ca.pfx --name capfx --vault-name <vault name> --password <password used to create the key>

At that point, I was able to run the following code snippet successfully:

const { SecretClient } = require("@azure/keyvault-secrets");
const { DefaultAzureCredential } = require("@azure/identity");
const dotenv = require("dotenv");
const fs = require("fs");
dotenv.config();

async function main() {
  const secretClient = new SecretClient(process.env.KEYVAULT_URI!, new DefaultAzureCredential());
  const certificateSecret = await secretClient.getSecret("capfx");

  const PKCS12Certificate = certificateSecret.value!;

  fs.writeFileSync("capfx.pfx", PKCS12Certificate);
  console.log("downloaded to capfx.pfx");
}

main()
  .then(() => console.log("done"))
  .catch(console.error);

Finally, now that I have the pfx file I can see that it is base64 encoded. But the following steps worked for me:

base64 -d capfx.pfx > capfxd.pfx
openssl pkcs12 -in capfxd.pfx -out capfxd.crt.pem -clcerts -nokeys

And successfully view the certificate in pem format.

Given that I verified the steps worked successfully, I am going to close this issue. I hope the snippet above helps! Unfortunately I am far from a openssl expert, but I can do my best to help.

If you have a complete repro of the issue please send me exact steps along with minimal repro and I can investigate further.

Thank you for reaching out - hope the above is helpful!