New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Cannot import certificate to Keyvault with customized policy #11669
Comments
Thank you for the repo. I believe I do see a problem. Is this blocking currently? We have an upcoming preview release to include other features. |
I just wanted to double check that the sample code is exactly (barring masked inputs) what you're using: certificateOptions.Policy = new CertificatePolicy(WellKnownIssuerNames.Self, <subject>);
certificateOptions.Policy.KeySize = 2048;
certificateOptions.Policy.KeyType = CertificateKeyType.Rsa;
certificateOptions.Policy.Exportable = false;
certificateOptions.Policy.ReuseKey = false; I do see a problem where if only |
It is blocking in a way that I cannot give the access to externals since they might accidentally export the private part. One naive workaround could be to secure it with a strong password and does not store such password anywhere so that nobody is able to export it. |
Yes, the sample code is exactly what I am using right now.
At least, I get the same failure with that. |
Do you need to create it via the SDK (e.g. need to repeat the process), or can you use the az CLI till we can get a fix into the upcoming preview? |
Currently, the target environment is Azure Function and the process is triggered on demand, so I need the SDK. For an intermediate solution, I can use az cli, this is acceptable as far as I do not need to wait the fix for too long. I see the milestone is set to June, I think this is fine to me. |
We're moving this to our July milestone, which represents the work we're doing during June and releasing in early July (typically the first week). Let me know if this is too late. |
Thanks for the update. |
@xiaoyang-connyun Are you able to reproduce the error if you add the following
In my testing the request succeeds with this added. |
No, I CANNOT reproduce the error if So, what in the end determines the policy? Is it purely based on |
@xiaoyang-connyun thanks for confirming this works for you. We are working with the service team to determine what the correct behavior for these options should be. The SDK was operating under the assumption that In addition, the July release of Azure.Security.KeyVault.Certificates will include a fix (linked to this issue) which prevented the I'm going to close this Issue since you now have a workable solution but we will loop back to link any changes to docs or samples addressing the behavior of certificate policy properties to this issue. |
Thanks, I appreciate that. |
[T2] containerservice python automation fix (Azure#11669) * python automation fix * Update readme.python.md
Describe the bug
I am trying to import a certificate to Keyvault with a customized policy.
The certificate is self-signed with method
CertificateRequest.CreateSelfSigned
, and the key policy I need here isexportable = false
.Expected behavior
The certificate should be successfully imported and Keyvault should response
201
.Actual behavior (include Exception or Stack Trace)
The certificate was not imported successfully. Keyvault replies
400
withTo Reproduce
Note that:
az cli
commandaz keyvault certificate import --name --vault-name --file --policy
with policyand it works as expected. So I suspect it is a bug, but maybe I did something wrong with .NET sdk.
Environment:
The text was updated successfully, but these errors were encountered: