Quickstart: Set and retrieve a certificate from Azure Key Vault using Azure PowerShell
In this quickstart, you create a key vault in Azure Key Vault with Azure PowerShell. Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, review the Overview. Azure PowerShell is used to create and manage Azure resources using commands or scripts. Afterwards, you store a certificate.
If you don't have an Azure subscription, create a trial subscription before you begin.
Note
Before you can use Azure CLI in Microsoft Azure operated by 21Vianet, please run az cloud set -n AzureChinaCloud
first to change the cloud environment. If you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud
again.
If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 1.0.0 or later. Type $PSVersionTable.PSVersion
to find the version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud
to create a connection with Azure.
Connect-AzAccount -Environment AzureChinaCloud
Create a resource group
A resource group is a logical container into which Azure resources are deployed and managed. Use the Azure PowerShell New-AzResourceGroup cmdlet to create a resource group named myResourceGroup in the chinaeast location.
New-AzResourceGroup -Name "myResourceGroup" -Location "ChinaEast"
Create a key vault
Use the Azure PowerShell New-AzKeyVault cmdlet to create a Key Vault in the resource group from the previous step. You need to provide some information:
Key vault name: A string of 3 to 24 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-)
Important
Each key vault must have a unique name. Replace <your-unique-keyvault-name> with the name of your key vault in the following examples.
Resource group name: myResourceGroup.
The location: ChinaEast.
New-AzKeyVault -Name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "ChinaEast"
The output of this cmdlet shows properties of the newly created key vault. Take note of these two properties:
- Vault Name: The name you provided to the -Name parameter.
- Vault URI: In the example, this URI is https://<your-unique-keyvault-name>.vault.azure.cn/. Applications that use your vault through its REST API must use this URI.
At this point, your Azure account is the only one authorized to perform any operations on this new vault.
Give your user account permissions to manage secrets in Key Vault
To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure PowerShell cmdlet New-AzRoleAssignment.
New-AzRoleAssignment -RoleDefinitionName "Key Vault Secrets User" -SignInName "<your-email-address>" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
Replace <your-email-address>, <subscription-id>, <resource-group-name> and <your-unique-keyvault-name> with your actual values. <your-email-address> is your sign-in name; you can instead use the -ObjectId
parameter and a Microsoft Entra Object ID.
Add a certificate to Key Vault
To can now add a certificate to the vault. This certificate could be used by an application.
Use these commands to create a self-signed certificate with policy called ExampleCertificate :
$Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal
Add-AzKeyVaultCertificate -VaultName "<your-unique-keyvault-name>" -Name "ExampleCertificate" -CertificatePolicy $Policy
You can now reference this certificate that you added to Azure Key Vault by using its URI. Use https://<your-unique-keyvault-name>.vault.azure.cn/certificates/ExampleCertificate
to get the current version.
To view previously stored certificate:
Get-AzKeyVaultCertificate -VaultName "<your-unique-keyvault-name>" -Name "ExampleCertificate"
Troubleshooting:
Operation returned an invalid status code 'Forbidden'
If you receive this error, the account accessing the Azure Key Vault does not have the proper permissions to create certificates.
Run the following Azure PowerShell command to assign the proper permissions:
Set-AzKeyVaultAccessPolicy -VaultName <KeyVaultName> -ObjectId <AzureObjectID> -PermissionsToCertificates get,list,update,create
Clean up resources
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with other quickstarts and tutorials, you may want to leave these resources in place.
When no longer needed, you can use the Azure PowerShell Remove-AzResourceGroup cmdlet to remove the resource group and all related resources.
Remove-AzResourceGroup -Name "myResourceGroup"
Next steps
In this quickstart, you created a Key Vault and stored a certificate in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.
- Read an Overview of Azure Key Vault
- See the reference for the Azure PowerShell Key Vault cmdlets
- Review the Key Vault security overview