updates

cert_make_dpapi.ps1

@@ -0,0 +1,41 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$true)][string]$password = "",
+    [Parameter(Mandatory=$true)][string]$rootDomain = ""
+)
+
+$cwd = Convert-Path .
+$CerFile = "$cwd\aspnet_dpapi.cer"
+$PfxFile = "$cwd\aspnet_dpapi.pfx"
+
+# abort if files exist
+if((Test-Path($PfxFile)) -or (Test-Path($CerFile)))
+{
+    Write-Warning "Failed, aspnet_dpapi already exists in $cwd"
+    Exit
+}
+
+# settings per https://github.com/aspnet/DataProtection/issues/215#issuecomment-353606494
+$cert = New-SelfSignedCertificate `
+        -Subject $rootDomain `
+        -DnsName $rootDomain `
+        -FriendlyName "ASP.NET Data Protection $rootDomain" `
+        -NotBefore (Get-Date) `
+        -NotAfter (Get-Date).AddYears(10) `
+        -CertStoreLocation "cert:CurrentUser\My" `
+        -KeyAlgorithm RSA `
+        -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
+        -KeyLength 2048 `
+        -KeyUsage KeyEncipherment, DataEncipherment
+        # -HashAlgorithm SHA256 `
+        # -Type Custom,DocumentEncryptionCert `
+        # -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
+
+$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
+$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText
+
+Export-Certificate -Cert $store -FilePath $CerFile
+Export-PfxCertificate -Cert $store -FilePath $PfxFile -Password $securePass
+
+Write-Host "aspnet_dpapi thumbprint: " $cert.Thumbprint
+

cert_upload_azure_pfx.ps1

@@ -0,0 +1,66 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory=$true)][string]$password = "",
+    [Parameter(Mandatory=$true)][string]$pfxFilename = "",
+    [Parameter(Mandatory=$true)][string]$keyVaultName = "",
+    [Parameter(Mandatory=$true)][string]$secretName = ""
+)
+
+$cwd = Convert-Path .
+$pfxFile = "$cwd\$pfxFilename.pfx"
+
+# abort when file not found
+if(!(Test-Path($pfxFile)))
+{
+    Write-Warning "Failed, $pfxFilename.pfx not found $cwd"
+    Exit
+}
+
+# force Azure login, if needed
+function CheckLogin
+{
+    $needLogin = $true
+    Try 
+    {
+        $content = Get-AzureRmContext
+        if ($content) 
+        {
+            $needLogin = ([string]::IsNullOrEmpty($content.Account))
+        } 
+    } 
+    Catch 
+    {
+        if ($_ -like "*Login-AzureRmAccount to login*") 
+        {
+            $needLogin = $true
+        } 
+        else 
+        {
+            throw
+        }
+    }
+
+    if ($needLogin)
+    {
+        Login-AzureRmAccount
+    }
+}
+
+CheckLogin
+
+# load the PFX
+$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
+$coll = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
+$coll.Import($pfxFile, $password, $flag)
+
+# export to byte array
+$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
+$bytes = $coll.Export($type)
+
+# base64 encode
+$base64 = [System.Convert]::ToBase64String($bytes)
+$value = ConvertTo-SecureString -String $base64 -AsPlainText –Force
+
+# send it to Azure KeyVault
+$type = 'application/x-pkcs12'
+Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $secretName -SecretValue $value -ContentType $type