I've stored a X509 certificate in Azure KeyVault (under Keys).
When I use keyVaultClient.GetKeyAsync(keyUrl), it returns a keyBundle with a Keys property.
The Keys property has a ToRSA() function.
From the RSA object, I'm able to create an XML string, but the format is not in the PEM format for public keys which I can use as rawdata in the X509Certificate2 constructor.
I can't find any methods in the .NET framework to create a X509Certificate2 from the RSA xml.
I really need an X509Certificate2 object to encrypt an enveloped Cms object. CmsRecipient requires X509Certificate in its constructor.
Is there a way to convert RSA (AsymmetricAlgorithm) into a X509Certificate2 object?
A workaround could be to store the certificate under Secrets. Then the key vault API seems to give me the X509Certificate rawdata, but I would like to store the same certificate only once. I must have it under Keys to be able to unwrap keys (for the Cms object decryption)
You should store a certificate along with the key in the vault, and then call
keyVaultClient.GetCertificateAsync(url)and get the certificate that's already stored in the vault. Though I think that's still separate from the certificate, so it's not a perfect solution.The key alone isn't enough to construct a certificate, since it's only a handful of numbers necessary to do the encryption. It doesn't have things like a name, or an issuer, or a validity period. To produce a certificate, you would have to make all those things up on the spot and then somehow sign the certificate... which probably wouldn't work for your scenario.