azure - 将 Azure SSL 证书导出为 pfx 文件

Question

我从 azure 购买了通配符证书。它现在位于 Key Vault 中。我需要将其上传到我们的另一台服务器，该服务器托管同一域的其他应用程序之一。 Azure 门户中的任何位置都没有将证书导出为 .pfx 文件的选项。

请帮忙。

Answer 1

您可以使用 PowerShell 创建 Azure 应用服务证书的本地 PFX 副本。

提供以下变量的适当值并将脚本另存为 copyasc.ps1。

变量:

$appServiceCertificateName = "ascdemo"
$resourceGroupName = "ascdemorg"
$azureLoginEmailId = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="83f6f0e6f1c3eeeae0f1ecf0ece5f7ade0ecee" rel="noreferrer noopener nofollow">[email protected]</a>"
$subscriptionId = "fb2c25dc-6bab-45c4-8cc9-cece7c42a95a"

copyasc.ps1:

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

在 PowerShell 控制台中键入以下命令来执行脚本:

Powershell –ExecutionPolicy Bypass
.\copyasc.ps1

您可以在 Azure 应用服务团队博客 Creating a local PFX copy of App Service Certificate 上找到更多详细信息

如果您有想要在 Azure 应用服务生态系统之外使用的应用服务证书，请尝试一下，并让我们知道效果如何。如果您遇到任何问题，请在 Stackoverflow 或 Azure App Service forum. 上告诉我们。