Description of the problem
This is because Key Vault's certificate upload feature only supports thepfxformat certificates, and intermediate certificates, the root certificate can not be converted to pfx format, only public key certificate format cet or crt, can be directly viewed through the text tool base64 encoded content.
If a certificate chain file can be seen in the intermediate certificate, the root certificate:
After uploading the certificate PFX containing the completed certificate chain to Key Vault certificates, certificates will only show the fingerprint of the server certificate, making it impossible to modify it directly in the Cloud Service (Extended Support) configuration file.
Therefore, if the intermediate certificate and root certificate need to be installed in Cloud Service (Extended Support), you have to place the intermediate certificate and root certificate in Key Vault Secrets first, and then call the Cloud Service API to update the certificate and configure the Secrets Identifier URL to complete the certificate configuration.
procedure
Step 1: Prepare the cer files for the intermediate and root certificates
(* If you already have a cer/crt file for the intermediate certificate, you can skip the first step if you use Notepad to view the Base64 encoded contents of the certificate)
View PFX certificate and certificate chain information:
mmc /CERTMGR:FILENAME="C:\Users\... \Downloads\"
Check Intermediate Certificate -> Details -> Copy to File
In the wizard window that opens, click Next, select "Base-64 encoded X.509 (.CER)" -- "Set save path -- "Export successful!
Open it in Notepad and view the Base64 encoded contents of the certificate
(Repeat the above to save the root certificate as a CER file as well)
(Step 2: After formatting the certificate content in JSON, set it to the Key Vault Secret via the az cli command.
(This step cannot be completed through the portal)
Fill the Base64 encoded content of the certificate into the JSON formatted data
{ "data": "Your base64 certificate", "dataType": "PFX", "password": "" }
Then save the JSON content as a file and add it to the Key Vault using az keyvault secret set --file "" --encoding base64
Note: It is possible to use the certificate fingerprint as a confidential name to facilitate better association to the certificate information
## Setting Key Vault confidentiality
##intermediate az keyvault secret set --vault-name <key value name> --name <thumbprint> --file ".\SSL\" --encoding base64 ##root az keyvault secret set --vault-name <key value name> --name <thumbprint> --file ".\SSL\" --encoding base64
When execution is complete, the id value (Secret Identifier URL) is retrieved from the returned result.
Once you have completed the above, copy out the fingerprint value and Secret ID URL, and you can update the certificate via the Cloud Service (Extended Support) API.
Step 3: Get the information of Cloud Service, call the interface as GET API
Refer to the documentation:/en-us/rest/api/compute/cloud-services/get?view=rest-compute-2024-07-01&tabs=HTTP
Note that in China you need to change Host Endpoint to:
GET https:// /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers//cloudServices/{cloudServiceName}?api-version=2022-04-04
You need to carry the Authorization Token, otherwise you will get the following error:
{ "error": { "code": "AuthenticationFailed", "message": "Authentication failed. The 'Authorization' header is missing." } }The way to get the Token can be done by accessing the Cloud Service (Extended Support) portal through a browser and then viewing the web request through the developer tools (F12) to get the Authorization content from the request header of the access to the Cloud Service. Or get the token through az cli
az cloud set --name AzureChinaCloud az login az account get-access-token --scope "/.default" --query accessToken
Adjust the JSON content when the Cloud Service information has been successfully obtained:
Delete everything in Properties except configuration and osProfile.
The JSON format after finishing is as follows:
{ "name": "cloud service extended support name", "id": "cloud service (extended) support resource id", "type": "/cloudServices", "location": "chinanorth3", "properties": { "configuration": "{ServiceConfiguration}", "osProfile": { "secrets": [ { "sourceVault": { "id": "key vault resource id" }, "vaultCertificates": [ { "certificateUrl": "key vault Secret Identifier" }, { "certificateUrl": "key vault Secret Identifier" }, { "certificateUrl": "key vault Secret Identifier" } ] } ] } } }
There are two changes that need to be made:
1) configuration content Certificates fingerprint, with the fingerprint value in the second step to replace the contents of the file to be modified
2) At the same time, replace the old certificateUrl value with the confidential identification URL from step 2
Once you have prepared the above, you can proceed to the third step and send a PUT request to update the new certificate to the Cloud Service (Extended Support).
Step 4: Update the information of Cloud Service and call the interface as PUT API
Refer to the documentation:/en-us/rest/api/compute/cloud-services/create-or-update?view=rest-compute-2024-07-01&tabs=HTTP
PUT https:// /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers//cloudServices/{cloudServiceName}?api-version=2022-04-04
Use the same URL as in step 3, change the request type to PUT, and put the JSON modified in step 3 into Request Body. click Send to see the status of the request.
* If you encounter a certificate format error, you need to check whether the content saved in the Key Vault Secret is in the correct JSON format.
Incorrectly formatted error message:
{ "error": { "code": "CertificateImproperlyFormatted", "message": "The data retrieved from /secrets/XXXXX/7eXXXX is not deserializable into JSON." } }
【END】