Azure – Key Vault Certificate

前言

之前有介绍过读写 Certificate Store, 但在 production server 经常会遇到权限的问题.

为了一劳永逸, 可以考虑把 Certificate 放到 Azure Key Vault 里, 然后通过 API 去拿. 

这样做的另一个好处是对 Server 依赖更少.

 

主要参考:

How can I create an X509Certificate2 object from an Azure Key Vault KeyBundle

Azure Key Vault Certificate client library for .NET

 

Azure Setup

去 Key Vault 页面点击 import

选择 import 添加名字密码就可以了.

Azure CLI

az keyvault certificate import --vault-name "MyProject-KV" --name "oidc-encryption" --file "C:\oidc-encryption.pfx" --password "mypassword"

 

ASP.NET Core Setup

install nuget 

dotnet add package Azure.Identity
dotnet add package Azure.Security.KeyVault.Certificates
dotnet add package Azure.Security.KeyVault.Secrets

get certificate from Azure

var certificateClient = new CertificateClient(new Uri("https://kv-name.vault.azure.net/"), new DefaultAzureCredential());
var secretClient = new SecretClient(new Uri("https://kv-name.vault.azure.net/"), new DefaultAzureCredential());
var certResponse = await certificateClient.GetCertificateAsync("Certificate Name");
var identifier = new KeyVaultSecretIdentifier(certResponse.Value.SecretId);
var secretResponse = await secretClient.GetSecretAsync(identifier.Name, identifier.Version);
var secret = secretResponse.Value;
var privateKeyBytes = Convert.FromBase64String(secret.Value);
var certificate = new X509Certificate2(rawData: privateKeyBytes, password: (string?)null, keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);

list all certificate

AsyncPageable<CertificateProperties> allCertificates = client.GetPropertiesOfCertificatesAsync();
await foreach (CertificateProperties certificateProperties in allCertificates)
{
    Console.WriteLine(certificateProperties.Name);
}

注意它返回的是一个叫 AsyncPageable 的冬冬. 它不是很好操作.

要好的调用体验可以参考: Use System.Linq.Async with AsyncPageable

import certificate to Azure 

TODO...

 

posted @ 2021-12-18 17:15  兴杰  阅读(124)  评论(0编辑  收藏  举报