教程:在 Azure Key Vault 中导入证书Tutorial: Import a certificate in Azure Key Vault

Azure Key Vault 是一项云服务,它为机密提供了安全的存储。Azure Key Vault is a cloud service that provides a secure store for secrets. 可以安全地存储密钥、密码、证书和其他机密。You can securely store keys, passwords, certificates, and other secrets. 可以通过 Azure 门户创建和管理 Azure Key Vault。Azure key vaults may be created and managed through the Azure portal. 在本教程中,我们将创建一个密钥保管库并使用它来导入证书。In this tutorial, you create a key vault, then use it to import a certificate. 有关 Key Vault 的详细信息,请参阅概述For more information on Key Vault, review the Overview.

本教程介绍如何:The tutorial shows you how to:

  • 创建密钥保管库。Create a key vault.
  • 使用门户在 Key Vault 中导入证书。Import a certificate in Key Vault using the portal.
  • 使用 CLI 在 Key Vault 中导入证书。Import a certificate in Key Vault using the CLI.
  • 使用 PowerShell 在 Key Vault 中导入证书。Import a certificate in Key Vault using PowerShell.

在开始之前,请阅读 Key Vault 的基本概念Before you begin, read Key Vault basic concepts.

如果没有 Azure 订阅,请在开始前创建一个试用订阅If you don't have an Azure subscription, create a Trial Subscription before you begin.

登录 AzureSign in to Azure

通过 https://portal.azure.cn 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.

创建保管库Create a vault

  1. 在 Azure 门户菜单或“主页”中,选择“创建资源” 。From the Azure portal menu, or from the Home page, select Create a resource.
  2. 在“搜索”框中输入“Key Vault”。In the Search box, enter Key Vault.
  3. 从结果列表中选择“Key Vault”。From the results list, choose Key Vault.
  4. 在“Key Vault”部分,选择“创建”。On the Key Vault section, choose Create.
  5. 在“创建密钥保管库”部分,提供以下信息:On the Create key vault section provide the following information:
    • 名称:必须提供唯一的名称。Name: A unique name is required. 在本快速入门中,我们使用 Example-Vault。For this quickstart, we use Example-Vault.
    • 订阅:选择订阅。Subscription: Choose a subscription.
    • 在“资源组”下选择“新建”,然后输入资源组名称。Under Resource Group, choose Create new and enter a resource group name.
    • 在“位置”下拉菜单中选择一个位置。In the Location pull-down menu, choose a location.
    • 让其他选项保留默认值。Leave the other options to their defaults.
  6. 提供上述信息后,选择“创建”。After providing the information above, select Create.

请记下下面列出的两个属性:Take note of the two properties listed below:

  • 保管库名称:在示例中,此项为 Example-Vault。Vault Name: In the example, this is Example-Vault. 将在其他步骤中使用此名称。You will use this name for other steps.
  • 保管库 URI:在本示例中,此项为 https://example-vault.vault.azure.net/Vault URI: In the example, this is https://example-vault.vault.azure.net/. 通过其 REST API 使用保管库的应用程序必须使用此 URI。Applications that use your vault through its REST API must use this URI.

目前,只有你的 Azure 帐户有权对这个新保管库执行操作。At this point, your Azure account is the only one authorized to perform operations on this new vault.

Key Vault 创建完成后的输出

将证书导入到 Key VaultImport a certificate to Key Vault

若要将证书导入到保管库,需要将 PEM 或 PFX 证书文件存储在磁盘上。To import a certificate to the vault, you need to have a PEM or PFX certificate file to be on disk. 在本例中,我们将导入文件名为 ExampleCertificate 的证书。In this case, we will import a certificate with file name called ExampleCertificate.


在 Azure Key Vault 中,支持的证书格式为 PFX 和 PEM。In Azure Key Vault, supported certificate formats are PFX and PEM.

  • .pem 文件格式包含一个或多个 X509 证书文件。.pem file format contains one or more X509 certificate files.
  • .pfx 文件格式是一种存档文件格式,用于将多个加密对象存储在单个文件中,这些加密对象是:颁发给你的域的服务器证书、一个匹配的私钥,还可能包括一个中间 CA。.pfx file format is an archive file format for storing several cryptographic objects in a single file i.e. server certificate (issued for your domain), a matching private key, and may optionally include an intermediate CA.
  1. 在 Key Vault 属性页中,选择“证书”。On the Key Vault properties pages, select Certificates.
  2. 单击“生成/导入”。Click on Generate/Import.
  3. 在“创建证书”屏幕上,选择以下值:On the Create a certificate screen choose the following values:
    • 证书创建方法:导入。Method of Certificate Creation: Import.
    • 证书名称:ExampleCertificate。Certificate Name: ExampleCertificate.
    • 上传证书文件:从磁盘选择证书文件Upload Certificate File: select the certificate file from disk
    • 密码:如果要上传受密码保护的证书文件,请在此处提供该密码。Password : If you are uploading a password protected certificate file, provide that password here. 否则,请将其留空。Otherwise, leave it blank. 成功导入证书文件后,密钥保管库会删除该密码。Once the certificate file is successfully imported, key vault will remove that password.
  4. 单击“创建”。Click Create.


使用“导入”方法添加证书后,Azure 密钥保管库会自动填充证书参数(即有效期、颁发者名称、激活日期等)。By adding a certificate using Import method, Azure Key vault will automatically populate certificate parameters (i.e. validity period, Issuer name, activation date etc.).

收到证书已成功导入的消息后,可以单击列表中的该证书以查看其属性。Once you receive the message that the certificate has been successfully imported, you may click on it on the list to view its properties.


使用 Azure CLI 导入证书Import a certificate using Azure CLI

将证书导入到指定的密钥保管库。Import a certificate into a specified key vault. 在将包含私钥的现有有效证书导入到 Azure Key Vault 中时,要导入的文件可以采用 PFX 格式或 PEM 格式。To import an existing valid certificate, containing a private key, into Azure Key Vault, the file to be imported can be in either PFX or PEM format. 如果证书采用 PEM 格式,则 PEM 文件必须包含密钥和 x509 证书。If the certificate is in PEM format, the PEM file must contain the key as well as x509 certificates. 此操作需要证书/导入权限。This operation requires the certificates/import permission.

az keyvault certificate import --file
                               [--disabled {false, true}]

详细了解参数Learn more about the parameters

导入证书后,可以使用 certificate show 来查看证书After importing the certificate, you can view the certificate using Certificate show

az keyvault certificate show [--id]

现在,你已创建了一个密钥保管库,导入了一个证书并查看了证书的属性。Now, you have created a Key vault, imported a certificate and viewed Certificate's properties.

使用 Azure PowerShell 导入证书Import a certificate using Azure PowerShell

      [-VaultName] <String>
      [-Name] <String>
      -FilePath <String>
      [-Password <SecureString>]
      [-Tag <Hashtable>]
      [-DefaultProfile <IAzureContextContainer>]

详细了解参数Learn more about the parameters.

清理资源Clean up resources

其他 Key Vault 快速入门和教程是在本快速入门的基础上制作的。Other Key Vault quickstarts and tutorials build upon this quickstart. 如果打算继续使用后续的快速入门和教程,则可能需要保留这些资源。If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place. 如果不再需要资源组,可以将其删除,这将删除 Key Vault 和相关的资源。When no longer needed, delete the resource group, which deletes the Key Vault and related resources. 要通过门户删除资源组,请执行以下操作:To delete the resource group through the portal:

  1. 在门户顶部的“搜索”框中输入资源组的名称。Enter the name of your resource group in the Search box at the top of the portal. 在搜索结果中看到在本快速入门中使用的资源组后,将其选中。When you see the resource group used in this quickstart in the search results, select it.
  2. 选择“删除资源组”。Select Delete resource group.
  3. 在“键入资源组名称:”框中,键入资源组的名称,然后选择“删除” 。In the TYPE THE RESOURCE GROUP NAME: box type in the name of the resource group and select Delete.

后续步骤Next steps

在本教程中,你创建了一个 Key Vault 并在其中导入了一个证书。In this tutorial, you created a Key Vault and imported a certificate in it. 若要详细了解 Key Vault 以及如何将其与应用程序集成,请继续阅读以下文章。To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.