Exporting Azure App Service Certificates

Azure App Service Certificates provide a convenient way to purchase SSL certificates and assign them to Azure Apps right from within the portal, but one question I see a lot is whether it is possible to use this certificate elsewhere, outside of the app service, particularly if you have purchased a wild-card certificate.

The certificate provided by App Service Certificates isn't anything special, it's a pretty standard SSL cert, the service just provides a nice easy way to provision it and assign it to your web service. The certificate along with it's keys are all stored in KeyVault and so it's fairly simple to extract the certificate in the PFX format so that you can then import and use it with other services.

Exporting the Certificate

App Service Certificates are stored in Keyvault when you provision them, so we need to talk to Keyvault to extract the certificate and create the PFX file. This can be achieved with a bit of Azure PowerShell. The following snippet gets the certificate from Keyvault and then exports this as a password protected PFX file that you can then import elsewhere. When asked to login you will need to use credentials that at a minimum have read access to the secrets in Keyvault.

    #Connect to Azure and select subscription
    Login-AzureRmAccount
    Select-AzureRMSubscription -SubscriptionName "<name of subscription containing keyvault"

    #obtain the secret from keyvault
    $vaultName = '<name of Keyvault'
    $secretName = '<name of secret containing certificate>'
    $certString = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
    #Create a PFX from the secret and write to disk
    $kvSecretBytes = [System.Convert]::FromBase64String($certString.SecretValueText)
    $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
    $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $password = '<required password for PFX>'
    $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
    $pfxPath = "C:\temp\$secretName.pfx"
    [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

Obviously the PFX file you extract is a copy of the certificate as it stands at the point you extract it. If you re-key or renew the certificate in Keyvault you will need to re-export the PFX and replace it where ever it is used.