Azure KeyVault GetKeyAsync returns RSAParameters and not X509Certificate

964 Views Asked by At

I've stored a X509 certificate in Azure KeyVault (under Keys).

When I use keyVaultClient.GetKeyAsync(keyUrl), it returns a keyBundle with a Keys property.

The Keys property has a ToRSA() function.

From the RSA object, I'm able to create an XML string, but the format is not in the PEM format for public keys which I can use as rawdata in the X509Certificate2 constructor.

I can't find any methods in the .NET framework to create a X509Certificate2 from the RSA xml.

I really need an X509Certificate2 object to encrypt an enveloped Cms object. CmsRecipient requires X509Certificate in its constructor.

Is there a way to convert RSA (AsymmetricAlgorithm) into a X509Certificate2 object?

A workaround could be to store the certificate under Secrets. Then the key vault API seems to give me the X509Certificate rawdata, but I would like to store the same certificate only once. I must have it under Keys to be able to unwrap keys (for the Cms object decryption)

2

There are 2 best solutions below

1
On BEST ANSWER

You should store a certificate along with the key in the vault, and then call keyVaultClient.GetCertificateAsync(url) and get the certificate that's already stored in the vault. Though I think that's still separate from the certificate, so it's not a perfect solution.

The key alone isn't enough to construct a certificate, since it's only a handful of numbers necessary to do the encryption. It doesn't have things like a name, or an issuer, or a validity period. To produce a certificate, you would have to make all those things up on the spot and then somehow sign the certificate... which probably wouldn't work for your scenario.

0
On

The purpose of Keys in Azure Key Vault is to strengthen more on crypto and the key in Keys store is for signing/encrypting/decrypting operation. The return you get is just information of a key in form of JWT (JSON Web Token). You could get RSA Modulus and convert it to form of public part (I'm not sure). But the main purpose of Keys is not to store a certificate and download it.

If you want to perform encryption using your encryption key (stored in Keys), you can use .NET client EncryptAsync()

If you want to maintain your certificate and download it, I gave my approaches in another thread here Getting pem file uploaded in Azure Key Vault Keys