[BUG] Cannot import certificate to Keyvault with customized policy

[xiaoyang-connyun]

Describe the bug
I am trying to import a certificate to Keyvault with a customized policy.
The certificate is self-signed with method CertificateRequest.CreateSelfSigned, and the key policy I need here is exportable = false.

Expected behavior
The certificate should be successfully imported and Keyvault should response 201.

Actual behavior (include Exception or Stack Trace)
The certificate was not imported successfully. Keyvault replies 400 with

{"error":{"code":"BadParameter","message":"Property policy has invalid value\r\n"}}

To Reproduce

// Prepare a certificate request.
            using var certificateKey = RSA.Create(2048);
            var certificateRequest = new CertificateRequest(<subject>, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
            // https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients
            certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 0, true));
            certificateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));

            // Sign the certificate.
            using var certificate = certificateRequest.CreateSelfSigned(
                DateTimeOffset.UtcNow,
                DateTimeOffset.UtcNow.AddYears(1)
            );

            // Export the certificate.
            var pfx = certificate.Export(X509ContentType.Pfx);
            using (Stream file = File.OpenWrite(@"<path>"))
            {
                file.Write(pfx, 0, pfx.Length);
            }

            // Upload the certificate.
            var certificateOptions = new ImportCertificateOptions(<cert-name>, certificate.Export(X509ContentType.Pkcs12));
            certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);
            certificateOptions.Policy.KeySize = 2048;
            certificateOptions.Policy.KeyType = CertificateKeyType.Rsa;
            certificateOptions.Policy.Exportable = false;
            certificateOptions.Policy.ReuseKey = false;
            var certificateWithPolicy = _certificateClient.ImportCertificate(certificateOptions).Value;

Note that:

1. Some values are masked with "<>" just to protect data that might be confidential.
2. I export the same certificate as a file and import it using az cli command az keyvault certificate import --name --vault-name --file --policy with policy

{
    "issuerParameters": {
        "certificateTransparency": null,
        "certificateType": null,
        "name": "Self"
    },
    "keyProperties": {
        "curve": null,
        "exportable": false,
        "keySize": 2048,
        "keyType": "RSA",
        "reuseKey": false
    }
}

and it works as expected. So I suspect it is a bug, but maybe I did something wrong with .NET sdk.

Environment:

• Azure.Security.KeyVault.Certificates 4.0.2
• dotnet 3.1.102
• az cli 2.1.0

[heaths]

Thank you for the repo. I believe I do see a problem. Is this blocking currently? We have an upcoming preview release to include other features.

[heaths]

I just wanted to double check that the sample code is exactly (barring masked inputs) what you're using:

certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);
certificateOptions.Policy.KeySize = 2048;
certificateOptions.Policy.KeyType = CertificateKeyType.Rsa;
certificateOptions.Policy.Exportable = false;
certificateOptions.Policy.ReuseKey = false;

I do see a problem where if only Exportable is set we don't serialize it, but if any other property is set we should, and as "exportable" (same as the CLI). I will repro this later and dig in further, but after a cursory glance I noticed this issue and wanted to double check.

[xiaoyang-connyun]

Thank you for the repo. I believe I do see a problem. Is this blocking currently? We have an upcoming preview release to include other features.

It is blocking in a way that I cannot give the access to externals since they might accidentally export the private part. One naive workaround could be to secure it with a strong password and does not store such password anywhere so that nobody is able to export it.

[xiaoyang-connyun]

I just wanted to double check that the sample code is exactly (barring masked inputs) what you're using:

certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);
certificateOptions.Policy.KeySize = 2048;
certificateOptions.Policy.KeyType = CertificateKeyType.Rsa;
certificateOptions.Policy.Exportable = false;
certificateOptions.Policy.ReuseKey = false;

I do see a problem where if only Exportable is set we don't serialize it, but if any other property is set we should, and as "exportable" (same as the CLI). I will repro this later and dig in further, but after a cursory glance I noticed this issue and wanted to double check.

Yes, the sample code is exactly what I am using right now.
You could also try to run the code only with

certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);

At least, I get the same failure with that.
So I am really curious about your result.

[heaths]

It is blocking in a way that I cannot give the access to externals since they might accidentally export the private part. One naive workaround could be to secure it with a strong password and does not store such password anywhere so that nobody is able to export it.

Do you need to create it via the SDK (e.g. need to repeat the process), or can you use the az CLI till we can get a fix into the upcoming preview?

[xiaoyang-connyun]

Do you need to create it via the SDK (e.g. need to repeat the process), or can you use the az CLI till we can get a fix into the upcoming preview?

Currently, the target environment is Azure Function and the process is triggered on demand, so I need the SDK. For an intermediate solution, I can use az cli, this is acceptable as far as I do not need to wait the fix for too long. I see the milestone is set to June, I think this is fine to me.

[heaths]

We're moving this to our July milestone, which represents the work we're doing during June and releasing in early July (typically the first week). Let me know if this is too late.

[xiaoyang-connyun]

We're moving this to our July milestone, which represents the work we're doing during June and releasing in early July (typically the first week). Let me know if this is too late.

Thanks for the update.
Early July is acceptable to me.

[christothes]

@xiaoyang-connyun Are you able to reproduce the error if you add the following CertificatePolicy option?

certificateOptions.Policy.ContentType = CertificateContentType.Pkcs12;

In my testing the request succeeds with this added.

[xiaoyang-connyun]

@xiaoyang-connyun Are you able to reproduce the error if you add the following CertificatePolicy option?

certificateOptions.Policy.ContentType = CertificateContentType.Pkcs12;

In my testing the request succeeds with this added.

No, I CANNOT reproduce the error if ContentType is defined, namely, the request succeeds.

So, what in the end determines the policy? Is it purely based on Policy, or some parts will be derived by the content of X509Certificate2? Also, if a value is missing, does it always have a default or not?

[christothes]

@xiaoyang-connyun thanks for confirming this works for you.

We are working with the service team to determine what the correct behavior for these options should be. The SDK was operating under the assumption that ContentType could be inferred based on the certificate content. However, the policy seems to expect a ContentType to always be set as it will not be inferred from the certificate content.

In addition, the July release of Azure.Security.KeyVault.Certificates will include a fix (linked to this issue) which prevented the ReuseKey and Exportable policy options from being serialized into the ImportCertificate request if specified in isolation.

I'm going to close this Issue since you now have a workable solution but we will loop back to link any changes to docs or samples addressing the behavior of certificate policy properties to this issue.

[xiaoyang-connyun]

@xiaoyang-connyun thanks for confirming this works for you.

We are working with the service team to determine what the correct behavior for these options should be. The SDK was operating under the assumption that ContentType could be inferred based on the certificate content. However, the policy seems to expect a ContentType to always be set as it will not be inferred from the certificate content.

In addition, the July release of Azure.Security.KeyVault.Certificates will include a fix (linked to this issue) which prevented the ReuseKey and Exportable policy options from being serialized into the ImportCertificate request if specified in isolation.

I'm going to close this Issue since you now have a workable solution but we will loop back to link any changes to docs or samples addressing the behavior of certificate policy properties to this issue.

Thanks, I appreciate that.