从 Azure Key Vault 中导出证书Export certificates from Azure Key Vault

了解如何从 Azure Key Vault 中导出证书。Learn how to export certificates from Azure Key Vault. 你可以使用 Azure CLI、Azure PowerShell 或 Azure 门户来导出证书。You can export certificates by using the Azure CLI, Azure PowerShell, or the Azure portal. 还可以使用 Azure 门户来导出 Azure 应用服务证书。You can also use the Azure portal to export Azure App Service certificates.

关于 Azure Key Vault 证书About Azure Key Vault certificates

使用 Azure Key Vault,你可以轻松地为网络预配、管理和部署数字证书。Azure Key Vault allows you to easily provision, manage, and deploy digital certificates for your network. 它还能使应用程序之间进行安全的通信。It also enables secure communications for applications. 有关详细信息,请参阅 Azure Key Vault 证书See Azure Key Vault certificates for more information.

证书的组成部分Composition of a certificate

创建 Key Vault 证书时,还会创建具有相同名称的可寻址密钥和机密 。When a Key Vault certificate is created, an addressable key and secret are created that have the same name. Key Vault 密钥允许密钥操作。The Key Vault key allows key operations. Key Vault 机密允许以机密的形式检索证书值。The Key Vault secret allows retrieval of the certificate value as a secret. Key Vault 证书还包含公共 x509 证书元数据。A Key Vault certificate also contains public x509 certificate metadata. 有关详细信息,请参阅证书的组成部分Go to Composition of a certificate for more information.

可导出和不可导出的密钥Exportable and non-exportable keys

创建 Key Vault 证书后,可以使用私钥从可寻址机密中检索该证书。After a Key Vault certificate is created, you can retrieve it from the addressable secret with the private key. 以 PFX 或 PEM 格式检索证书。Retrieve the certificate in PFX or PEM format.

  • 可导出 :用于创建证书的策略指示密钥可导出。Exportable : The policy used to create the certificate indicates the key is exportable.
  • 不可导出 :用于创建证书的策略指示密钥不可导出。Non-exportable : The policy used to create the certificate indicates the key is non-exportable. 在这种情况下,当以机密的形式进行检索时,私钥不是值的一部分。In this case, the private key isn't part of the value when it's retrieved as a secret.

支持的 KeyType:RSA、RSA-HSM、EC、EC-HSM 等(参见此处)“可导出”状态仅与 RSA 和 EC 一起使用。Supported keytypes: RSA, RSA-HSM, EC, EC-HSM, oct (listed here) Exportable is only allowed with RSA, EC. HSM 密钥不可导出。HSM keys would be non-exportable.

有关详细信息,请参阅关于 Azure Key Vault 证书See About Azure Key Vault certificates for more information.

导出存储的证书Export stored certificates

你可以使用 Azure CLI、Azure PowerShell 或 Azure 门户来导出 Azure Key Vault 中存储的证书。You can export stored certificates in Azure Key Vault by using the Azure CLI, Azure PowerShell, or the Azure portal.

备注

只有在密钥保管库中导入证书时,才需要证书密码。Only require a certificate password when you import the certificate in the key vault. Key Vault 不会保存关联的密码。Key Vault doesn't save the associated password. 导出证书时,密码为空。When you export the certificate, the password is blank.

在 Azure CLI 中使用以下命令,下载 Key Vault 证书的公有部分。Use the following command in the Azure CLI to download the public portion of a Key Vault certificate.

az keyvault certificate download --file
                                 [--encoding {DER, PEM}]
                                 [--id]
                                 [--name]
                                 [--subscription]
                                 [--vault-name]
                                 [--version]

有关详细信息,请查看示例和参数定义View examples and parameter definitions for more information.

作为证书下载意味着获取公共部分。Downloading as certificate means getting the public portion. 如果同时需要私钥和公共元数据,可以将其作为机密下载。If you want both the private key and public metadata then you can download it as secret.

az keyvault secret download -–file {nameofcert.pfx}
                            [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                            [--id]
                            [--name]
                            [--subscription]
                            [--vault-name]
                            [--version]

有关详细信息,请参阅参数定义For more information, see parameter definitions.

了解详细信息Read more