Export Azure SSL certificate as pfx file
You can create a local PFX copy of Azure App Service Certificate using PowerShell.
Provide appropriate values from the following variables and save the script as copyasc.ps1.
Variables:
$appServiceCertificateName = "ascdemo"$resourceGroupName = "ascdemorg"$azureLoginEmailId = "user@microsoft.com"$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"copyasc.ps1:
$appServiceCertificateName = ""$resourceGroupName = ""$azureLoginEmailId = ""$subscriptionId = ""Login-AzureRmAccountSet-AzureRmContext -SubscriptionId $subscriptionId$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"$keyVaultId = ""$keyVaultSecretName = ""$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty$certificateName = $certificateProperties[0].Name$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName$keyVaultIdParts = $keyVaultId.Split("/")$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."Write-Host "PFX password: $pfxPassword"Type the following commands in PowerShell console to execute the script:
Powershell –ExecutionPolicy Bypass.\copyasc.ps1You can find more details on Azure App Service Team Blog Creating a local PFX copy of App Service Certificate
If you have an App Service Certificate that you would like to use outside of Azure App Service ecosystem, then give this a try and let us know how it goes. If you run into any issues, please let us know on the Stackoverflow or on the Azure App Service forum.
I've found @dmitry-kazakov's answer to be helpful, but had to perform some minor updates to get it to work for me.
First I had to execute this command and assign it to $azureUserPrincipalName:
PS Azure:\> Get-AzureaduserObjectId DisplayName UserPrincipalName UserType-------- ----------- ----------------- --------89500455-0019-4059-8ef8-f1w32993z520 A User rmoore_roundlabinc.com#EXT#@rmooreroundlabinc.onmicrosoft.com MemberThen here is the updated script:
$appServiceCertificateName = "ascdemo" #This is the "Subject Name" in Azure, not "Name"$resourceGroupName = "ascdemorg"$azureLoginEmailId = "user@microsoft.com"$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"$azureUserPrincipalName = "user@microsoft.com#EXT#@user@microsoft.com.onmicrosoft.com"Login-AzureRmAccountSet-AzureRmContext -SubscriptionId $subscriptionId$ascResource= Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2019-05-01"$keyVaultId = ""$keyVaultSecretName = ""$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty$certificateName = $certificateProperties[0].Name$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName$keyVaultIdParts = $keyVaultId.Split("/")$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureUserPrincipalName -PermissionsToSecrets get$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."Write-Host "PFX password: $pfxPassword"Powershell –ExecutionPolicy Bypass.\copyasc.ps1
Some docs are outdated, so here is a version of how to export it with PowerShell and Azure CLI on Mac + convert to PEM format for Nginx. Sharing just because it was painful for me, so hopefully it will be useful to someone:
pwshaz keyvault secret show --vault-name KeyVaultName --name SecretName | tail -n 1 | cut -d ' ' -f 3 | pbcopyecho $(pbpaste) > /tmp/pass$secret=$(cat /tmp/pass)$pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath[io.file]::WriteAllBytes("./appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword))openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.pem -clcerts -nokeys -password pass:$(echo $pfxPassword)openssl pkcs12 -in appservicecertificate.pfx -out /tmp/certificate.key_protected -nocerts -password pass:$(echo $pfxPassword)openssl rsa -in /tmp/certificate.key_protected -out /tmp/certificate.key -passin pass:$(echo $pfxPassword)The last three lines are taken from here and the middle part is a stripped-down version from the main guide