Skip to main content

Importing an SSL Certificate from KeyVault to a Linux VM

· 4 min read
Joie Llantero

Azure Key Vault can be used to create or import an SSL certificate for our website. In this article, we discuss how to transfer the certificate to our VM and use it to secure our website.

What is Azure Key Vault?

Azure Key Vault is a cloud service for securely storing and accessing secrets. We can store API keys, passwords, certificates, or cryptographic keys. Access to these resources are also configurable as we can setup the firewall specific for our Key Vault or setup a private endpoint.

note

The sections below may depend on our use-case so feel free to skip to the sections relevant to you.

Create an Azure Key Vault

For those who don't have a Key Vault, you can create one in your resource group using the command below.

keyvault_name=<mykeyvault>
az keyvault create \
    --resource-group myResourceGroupSecureWeb \
    --name $keyvault_name \
    --enabled-for-deployment

Generating a certificate in Key Vault

In this section, we generate a self-signed certificate but, in production, import your own certificate signed by a trusted provider. 

az keyvault certificate create \
    --vault-name $keyvault_name \
    --name $cert_name \
    --policy "$(az keyvault certificate get-default-policy)"

Storing a certificate in Key Vault

If you have your own certificate, you can import it using the command below.

az keyvault certificate import \ 
    --vault-name "<your-key-vault-name>" \
    -n "ExampleCertificate"\ 
    -f "/path/to/ExampleCertificate.pem"

Transfering the certificate from Key Vault to VM

Once you create or import a certificate in Azure KeyVault, run the following commands below to import the certificate and private key in our VM. Update or replace the variable below with the appropriate details.

First, we obtain the certificate ID by running az keyvault secret list-versions.

secret=$(az keyvault secret list-versions \
          --vault-name $keyvault_name \
          --name $cert_name \
          --query "[?attributes.enabled].id" --output tsv)

Next, we need to convert the ID into something our VM can use.

vm_secret=$(az vm secret format --secret "$secret")

Finally, we update our VM's OSProfile secret value. 

az vm update -n $vm_name -g $rg_name --set osProfile.secrets="$vm_secret"
info

OSProfile specifies the operating system settings for the virtual machine. More details about OSProfile here.

With this, we now successfully transferred the certificate in our VM.

Using the certificate

SSH into our VM and follow the steps below to use the SSL certificate for our site.

  1. Upon running the commands, the certificate and private key will be stored in /var/lib/waagent. The filename will be the thumbprints as seen in Azure Key Vault.

  2. Duplicate the .crt and .prv and rename it into something more readable. For instance, you can run something similar to the following commands:

    cat <key_thumbprint_here>.crt > mysite.crt
    cat <key_thumbprint_here>.prv > mysite.prv

  3. Move these to /etc/nginx/certs/.

    mv mysite.crt /etc/nginx/certs/ 
    mv mysite.prv /etc/nginx/certs

  4. Update Nginx config file

    server {
         ...
         listen 80;
         server_name mysite.com 12.345.67.8; 
         listen 443 default_server ssl;
         ssl_certificate /etc/nginx/certs/mysite.crt;
         ssl_certificate_key /etc/nginx/certs/mysite.prv;
         ...
     }

  5. Restart Nginx: sudo systemctl restart nginx.

  6. Visit your site and check if you have the lock icon beside the URL.

osProfile Issue

caution

Creating a VM from an os disk snapshot doesn't have an osProfile. This creates a problem for the previous process as we need to update the osProfile secrets.

Below is an alternative way of importing your SSL cert to your VM.

  1. Prepare your cert and key

    This ensures that the .pfx file is in binary format (done by adding the flag --encoding base64).

    # download your cert from Azure Key Vault and copy the file in your VM 
    # if you already have your cert.pfx in your local machine, skip this step
    az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base64

    openssl pkcs12 -in <certname>.pfx -nocerts -out <certname>.key -nodes -passin pass:
    openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out <certname>.crt

  2. Once you have your cert and key ready, you can copy them using scp command.

    scp cert.crt cert.key <vmuser>@<vmip>:~

    # if you specified a port
    scp -P 1234 cert.crt cert.key <vmuser>@<vmip>:~

    This will save the files in the home directory: cd ~

  3. Create a new Nginx certs folder: mkdir /etc/nginx/certs/

  4. Move the files into the Nginx certs folder:

    • Run command: mv <certame>.crt /etc/nginx/certs/
    • Run command: mv <certname>.prv /etc/nginx/certs/

  5. Update Nginx config file: sudo vim /etc/nginx/sites-available/ctfd

  6. Restart Nginx

    • Run command: sudo systemctl restart nginx

  7. Visit your site at https://<sitedomain>.com/

Final Thoughts

Using the Azure Key Vault is quite easy but it may be overwhelming as Microsoft has a lot of documentations for their cloud services. This article makes it easy to follow to do a simple thing such as making your site more secure with an SSL certificate.