azurecertificateazure-resource-manager

When using Azure.ResourceManager .net library, how to import a certificate from KeyVault to an AppService?

I already asked this question here: https://github.com/Azure/azure-sdk-for-net/issues/46369, but since I haven't gotten any response there yet I hope someone on SO will have a clue.

Library name and version Azure.ResourceManager 1.12.0

Query/Question I cannot find a working way to import a certificate from KeyVault when creating/updating an AppService (WebSite).

I'm am NOT using the certificate for TLS/SSL host binding. The certificate is used by the application code to authenticate with a database service.

I have tried this:

// First set up WebSiteData (a function app in my case)
var webSiteData = new WebsiteData(...);

new CertificateClient(new Uri(_keyVaultUrl), new DefaultAzureCredential());
KeyVaultCertificateWithPolicy vaultCertificate = await certificateClient.GetCertificateAsync("cert-name");

webSiteData.HostNameSslStates.Add(new HostNameSslState
{
    Name = vaultCertificate.Name,
    ThumbprintString = vaultCertificate.Properties.X509ThumbprintString,
    SslState = HostNameBindingSslState.SniEnabled
});

var webSite = (await resourceGroup.GetWebSites().CreateOrUpdateAsync(
    WaitUntil.Completed,
    "site-name",
    webSiteData
)).Value;

I haven't found any example code except similar to the webSiteData.HostNameSslStates.Add. If I add the certificate through the portal it works perfect, I just need to be able to do the same using Azure.ResourceManager

What I'm trying to do is the same as the Azure CLI command:

az webapp config ssl import --resource-group MyResourceGroup --name MyWebapp --key-vault MyKeyVault --key-vault-certificate-name MyCertificateName

This works fine. But how to perform the same using Azure.ResourceManager in .net code?

Solution

  • I finally got a working example from the Azure ResourceManager github project:

    https://github.com/Azure/azure-sdk-for-net/issues/46369#issuecomment-2469693141

    Basically, you do something like this:

    //Obtain the secret value of the certificate and convert it into a byte array format PFX certificate
var secretClient = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var secret = await secretClient.GetSecretAsync("Your_Vault_Certificate_Name");
var pfxBlob = Convert.FromBase64String(secret.Value.Value);

//Create a AppCertificateResource
var appCertificateCollection = resourceGroup.GetAppCertificates();
var appCertificateName = "certificateName";
var appCertificateData = new AppCertificateData(AzureLocation.EastUS2)
{
     ServerFarmId = appServicePlan.Id,//Used to specify webapp
     PfxBlob = pfxBlob,
};
var appCertificate = (await appCertificateCollection.CreateOrUpdateAsync(WaitUntil.Completed, appCertificateName, appCertificateData)).Value;

    Make sure to have NuGet package Azure.Azure.Security.KeyVault.Secrets in the project and import it in a "using" statement