Download.pfx certificate from Azure KeyVault with Python

Question

I've imported a valid .pfx certificate into a keyvault in Azure. When I try to download it with Python using the SecretClient object, I get a value with no "BEGIN CERTIFICATE" or "END CERTIFICATE" footer. My understanding is that this value should contain the public certificate and private key, but I can't seem to convert this string value into anything I can then use or read with openssl.

I can download the certificate fine with az keyvault secret download and then read it correctly with openssl

I've tried writing the string to a file and manually adding headers etc. but I feel I am missing something fundamental. The example I've seen here: https://github.com/Azure/azure-sdk-for-js/issues/7647 appears to show the value being directly written to a file and read with openssl. This does not work for me and I get the following error:

error:0D07803A: asn1 encoding routines : ASN1_ITEM_EX_D2I : nested asn1 error

So the fundamental question is: how to convert KeyVaultSecret.value into an x509 object or how to write it to a file in such a way that openssl can succesfully read it

Answer 1

Error was in converting to base64. Code below for future interested parties:

import base64
from azure.keyvault.secrets import SecretClient

secret = SecretClient(keyvaulturl,credentials)
secret_b64 = base64.b64decode(secret.value)
with open('test.pfx','wb') as fopen:
    fopen.write(secret_b64)

This can be interrogated with openssl succesfully.