Export an Azure App Service Certificate PFX PowerShell

I found this article “Creating a local PFX copy of App Service Certificate” here and wanted to do a reproduction of it.

I wrote an article here where I discussed “How (I) configured an App Service Certificate for my Azure App Service” which might help to get a broader perspective of what and how to configure an App Service Certificate.

To execute the PowerShell script provided at the site mentioned in the first line of this article and shown in Figure 2, requires some information like Certificate Name, Resource Group, Email Id and Subscriptions.  All of that information, excluding the Email Id can be found on the App Services Certificates –> Certificate Properties blade, as seen in Figure 1.  The Email Id I used was the one linked to the Subscription in which the certificate exists.


Figure 1, App Service Certificate, certificate properties

Next, execute the PowerShell script below and shown in Figure 2.

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

I copied the above PowerShell script from this post.  “Creating a local PFX copy of App Service Certificate”


Figure 2, App Service Certificate, export PFX file using PowerShell

The script ran pretty fast and it did indeed export the PFX file and provided me a password.  I imported it into CERTMGR, which I discuss a little here and here, so that I could look at the details.  See Figure 3.


Figure 3, App Service Certificate, export PFX file using PowerShell and import into CERTMGR

The goal was to move the certificate to another Azure App Service Web App in another subscription.  So I accessed the Azure Portal, as seen in Figure 4, and was able to add the certificate to the new Web App.  Selecting the Upload Certificate open a new blade where you can enter the PFX file and enter the password generated by the PowerShell script executed previously.


Figure 4, App Service Certificate, move to another subscription, use an App Service Certificate with IIS, export PFX