Instructions for storing the Root cert in Azure KeyVault

[tomasaschan]

It seems that we must put the root.crt in the correct place on our app servers (~/.postgresql/root.crt on linux, %APPDATA%\postgresql\root.crt on windows, according to this article), and we'd like to automate this as part of the deployment or provisioning pipeline. In order to do so, we want to store the certificate in KeyVault, but I'm unable to figure out how to import the cert there as the KeyVault requires a .pfx-format certificate for import, and we only get a .der/.pem-formatted cert using the instructions in this article.

Could you please add some instructions on how to use KeyVault to store this certificate, and how one might automate installing it on Azure Web Apps?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: fa87d84c-b0a3-61bd-9eee-068d056ae927
• Version Independent ID: 6f952f46-1050-a08a-29e4-28acf31ca403
• Content: Configure SSL connectivity in Azure Database for PostgreSQL
• Content Source: articles/postgresql/concepts-ssl-connection-security.md
• Service: postgresql
• GitHub Login: @JasonMAnderson
• Microsoft Alias: janders

[angoyal-msft]

@tomasaschan
Thanks for your feedback. I have assigned this issue to content author to help you better.
@JasonMAnderson could you please help us with this issue.

[mimig1]

@angoyal-msft - Can you reassign this issue to @rachel-msft, she owns this article now.

[angoyal-msft]

@mimig1 Thanks for pointing out. I have assigned this issue to @rachel-msft
@rachel-msft Could you please help us with this issue.

[rachel-msft]

Hi @tomasaschan. I haven't gotten a chance to test this out, but according to this Key Vault doc https://docs.microsoft.com/en-us/azure/key-vault/certificate-scenarios PEM files are allowed.

And you could possibly use a different decoder to get a pfx file.

#please-close

[tomasaschan]

I don't think that's applicable here; note that this certificate is not something I have any power over, and I can't affect it much. And the docs page you linked to also specifies

Import certificate – requires a PEM or PFX to be on disk and have a private key.

The root.crt for postgres (which is where I started with this) does not seem to have a private key; and if it did, I sincerely hope you wouldn't share it with me...

[tomasaschan]

#please-reopen

@rachel-msft @MicahMcKittrick-MSFT

[mimig1]

@rachel-msft - Can you provide an update?

[rachel-msft]

I apologize for not being able to answer this request earlier.

First off all, I have corrected the article to reflect that the certificate can be stored in any file location you choose. That file location can be referenced in the SSL certificate parameter of whichever language/client you are using. In the docs I have shown an example of doing this with psql.

As you pointed out, Azure Key Vault's certificate store is intended for importing certificates for which you are also the holder of the private key.

The Key Vault object type that works for this scenario is a Secret. You can set/download a file as a secret.

I show an example of how to do this below. I am using a Linux VM, Azure CLI for Key Vault, and psql as my Postgres client.

// Setup

// Download the certificate to a local file
wget "https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem"
// Store the cert in Key Vault as a secret
az keyvault secret set --vault-name myvault --name postgrescert --file BaltimoreCyberTrustRoot.crt.pem

// To use the cert

// --file is a new file name .crt
// --id is the id returned by the `az keyvault secret set` command
az keyvault secret download --file thecert.crt --id https://myvault.vault.azure.net/secrets/postgrescert/109c00ca5ae0f7

// Connect to postgres
psql "sslmode=verify-full sslrootcert=thecert.crt host=mydemoserver.postgres.database.azure.com dbname=postgres user=myusern@mydemoserver"

[rachel-msft]

Please let me know if you have any questions.

#please-close