Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 107 lines (91 sloc) 3.75 KB
title metaTitle metaDescription index
Inject PFX Certificate
Inject PFX Certificate
Tutorial covering how to directly inject PFX certificates into a container as a base64 encoded environment variable.

Inject PFX Certficiate

The certificate handling in certain languages like the dotnet X509Certificate2 library has a preference for certificates in the binary PFX format. This toturial is a step by step instruction on how to inject PFX certificates using the Azure Key Vault Env Injector.


  • Env Injector must be installed in Kubernetes cluster.
  • An Azure Key Vault named akv2k8s-test.
  • Authentication and authorization configured.
  • We are working in the akv-test namespace which requires the label azure-key-vault-env-injection: enabled for Env Injection.

Start by uploading your certificate to Azure Key Vault. If you don't have one you can create a self signed certificate using the portal or Azure CLI. We use the name my-certificate. For more information please see the Azure CLI Key Vault reference.

$ az keyvault certificate create --vault-name akv2k8s-test --name my-certificate -p "$(az keyvault certificate get-default-policy)"

The following AzureKeyVaultSecret specification can be used as a base to retrive your certificate. As long as the object type is set to secret, we will tell Azure Key Vault to output a PFX formatted certificate with private key included. Also notice that there is no output section in this AzureKeyVaultSecret as we will use the Env Injector to inject the certificate at runtime.

# secret-cert.yaml

kind: AzureKeyVaultSecret
  name: secret-cert
  namespace: akv-test
    name: akv2k8s-test # name of key vault
      name: my-certificate #  name of the certificate in akv
      type: secret # using type as secret exports pfx with private key

Apply the secret to Kubernetes:

$ kubectl apply -f secret-cert.yaml created

We can now test that the certificate injection is working properly by creating a pod with the following environment variables. Note that even though the Env Injector is tested with numerous container configurations, there is a requirement to have valid certificate chains installed on the container. This package is called ca-certificates inn almost all Linux distributions.

# pod.yaml

apiVersion: v1
kind: Pod
  name: akv-test-app
  namespace: akv-test
    app: akv-test-app
  - name: akv-test-app
    image: circleci/node:lts-buster # we use an image that has `ca-certificates` installed.
    - name: MESSAGE
      value: "Hello from! Here is your certificate:"
    - name: CERTIFICATE
      value: secret-cert@azurekeyvault # we refer to the secret by the Env Injector convention <name of secret>@azurekeyvault
    command: ["printenv"]
    args: ["MESSAGE", "CERTIFICATE"]

Create the akv-test-app pod in Kubernetes:

$ kubectl apply -f pod.yaml created

Fetch the logs from the akv-test-app pod:

$ kubectl -n akv-test logs akv-test-app

level=info msg="starting process /usr/bin/printenv [printenv MESSAGE CERTIFICATE]"
Hello from! Here is your certificate:
<base64 data snipped for readability>

Delete the Pod to clean up:

$ kubectl -n akv-test delete pod akv-test-app

pod "akv-test-app" deleted
You can’t perform that action at this time.