This blog will guide how to export the App Service Certificate from Azure Portal and set up a password for the certificate in Windows and export it with password by using PowerShell.
When we create App Service Certificate (Add and manage TLS/SSL certificates - Azure App Service | Microsoft Learn) in Azure Portal, sometime we are not using it in the App Service but use it for Azure VM or on-prem VM. Moreover, we will use it in some Azure resources (such as upload the certificate to Azure Application Gateway).
However, after you export the App Service Certificate from Azure Portal, when you are going to upload it to Azure Application Gateway or use it in the Azure VM or on-prem VM, you would find out sometimes it would need the "password". But you don't know what the password is for the certificate. This is because when we export App Service Certificate, it is without password by default so we need to set it up manually by ourselves.
In this article, we will show you how to export the App Service Certificate and set up the password for certificate in Windows:
Export the App Service Certificate in Azure Portal and set up the password in Windows
- Go to your App Service Certificate and click "Export Certificate" -> "Open Key Vault Secret"
- Click the current version of certificate
- Click "Download as a certificate"
- Right click on the download .pfx certificate and click "Install PFX"
- Select "Current User"
- Make sure that select the correct .pfx file
- Keep the password empty and check the "Mark this key as exportable. This will allow you to backup or transport your keys at a latter time" checkbox
- Select "Place all certificates in the following store" and Choose "Personal" for Certicate store
- Click "Finish"
- Open Certificate Manager by searching "certmgr.msc" in Windows
- Select "Certificates - Current User" -> "Personal" -> "Certificate". Then right click on the target certificate and select "All Tasks" -> "Exports…"
- Choose "Yes, export the private key"
- Choose "Personal Information Exchange - PKCS #12 (.PFX)" and make sure check the "Include all certificates in the certification path if possible" and "Enable certificate privacy"
- Select the "Password" and enter the password
- Give a filename to save this certificate
- Click "Finish"
Export the App Service Certificate with the password by PowerShell
You could also use the PowerShell simply to export it by following script:
#Connect to Azure and select subscription
Login-AzureRmAccount
Select-AzureRMSubscription -SubscriptionName "<name of subscription containing keyvault>"
#Obtain the secret from keyvault
$vaultName = '<name of Keyvault>'
$secretName = '<name of secret containing certificate>'
$certString = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
#Create a PFX from the secret and write to disk
$kvSecretBytes = [System.Convert]::FromBase64String($certString.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$password = '<required password for PFX>'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = "C:\temp\$secretName.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)
Congratulation, after these steps, now you will get a certificate with password! At last, would like add a kind reminder below:
Hope this article is helpful for you, thank you for reading 🙂
Reference: