Importing Azure Key Vault certificates FAQ

For a certificate import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX. Although there are PEM files with only the public portion, Key Vault requires and accepts only a PEM or PFX file with a private key. For more information, see Import a certificate to Key Vault.

After a certificate is imported and protected in Key Vault, its associated password isn't saved. The password is required only once during the import operation. This is by design, but you can always get the certificate as a secret and convert it from Base64 to PFX by adding the password through Azure PowerShell.

When you import a certificate, you need to ensure that the key is included in the file. If you have a private key stored separately in a different format, you need to combine the key with the certificate. Some certificate authorities (CAs) provide certificates in other formats. Therefore, before you import the certificate, make sure that it's in either PEM or PFX file format and that the key uses either Rivest-Shamir-Adleman (RSA) or elliptic-curve cryptography (ECC) encryption.

For more information, see certificate requirements and certificate key requirements.

No, it isn't possible to perform certificate operations by using an Azure Resource Manager (ARM) template. A recommended workaround would be to use the certificate import methods in the Azure API, the Azure CLI, or PowerShell. If you have an existing certificate, you can import it as a secret.

To view a more descriptive error, import the certificate file by using the Azure CLI or PowerShell.

The import operation requires that you grant the user permissions to import the certificate under the access policies. To do so, go to your key vault, select Access policies > Add Access Policy > Select Certificate Permissions > Principal, search for the user, and then add the user's email address.

For more information about certificate-related access policies, see About Azure Key Vault certificates.

Each certificate name must be unique. A certificate with the same name might be in a soft-deleted state. Also, according to the composition of a certificate, when new certificate is created, it creates an addressable secret with the same name so if there's another key or secret in the key vault with the same name as the one you're trying to specify for your certificate, the certificate creation will fail and you'll need to either remove that key or secret or use a different name for your certificate.

This error could be caused by either of two reasons:

• The certificate subject name is limited to 200 characters.
• The certificate password is limited to 200 characters.

Please verify that the content in the PEM file is uses UNIX-style line separators (\n)

No, expired PFX certificates can't be imported to Key Vault.

You can ask your CA to provide the certificate in the required format. There are also third-party tools that can help you convert the certificate to the proper format.

Yes, you can import certificates from any CA, but your key vault won't be able to renew them automatically. You can set reminders to be notified about the certificate expiration.

Yes. After you've uploaded the certificate, be sure to specify the autorotation in the certificate's issuance policy. Your settings will remain in effect until the next cycle or certificate version is released.

If you've imported the certificate successfully, you should be able to confirm it by going to the Secrets pane.

Certificate Authorities may provide with the option to either download certificate individually (root, intermediate, leaf) or download all of them in a single file. While importing certificate in Key Vault, it will allow you to import one certificate or the whole chain, it's up to you.

• Azure Key Vault certificates