Import Certificate from Azure Key Vault

Octopus.Script exported 2018-04-17 by nshenoy belongs to ‘Azure’ category.

Imports a certificate from Azure Key Vault to the tentacle

Parameters

When steps based on the template are included in a project’s deployment process, the parameters below can be set.

Azure Service Principal SubscriptionId

Azure.GetKeyVaultCertificate.SubscriptionId =

Azure SubscriptionId for the Service Principal account

Azure Active Directory Tenant Id

Azure.GetKeyVaultCertificate.TenantId =

The Azure Active Directory Tenant Id associated with the Service Principal account

Azure Service Principal Client Id

Azure.GetKeyVaultCertificate.ClientId =

The Client Id associated with the Service Principal account

Azure Service Principal Password

Azure.GetKeyVaultCertificate.Password =

The password or “key” for the Service Principal account

Key Vault Name

Azure.GetKeyVaultCertificate.KeyVaultName =

The name of the Azure Key Vault

Certificate Name

Azure.GetKeyVaultCertificate.CertificateName =

The name of the certificate to retrieve from the Key Vault

Certificate Version

Azure.GetKeyVaultCertificate.CertificateVersion = latest

[Optional] Enter the specific version of the certificate. Defaults to latest.

Certificate Store Name

Azure.GetKeyVaultCertificate.CertificateStoreName =

Certificate store name. E.g. My

Certificate Store Location

Azure.GetKeyVaultCertificate.CertificateStoreLocation =

Certificate store location. E.g. “LocalMachine”

Certificate Friendly Name

Azure.GetKeyVaultCertificate.CertificateFriendlyName =

[Optional] A friendly name to give the certificate when importing. E.g. Client Auth Cert for FooService

Script body

Steps based on this template will execute the following PowerShell script.

Import-Module AzureRM.Profile
Import-Module AzureRM.KeyVault

Function Validate-Parameter($parameterValue, [string[]]$validInput, $parameterName) {
    Write-Host "${parameterName}: ${parameterValue}"
    if (! $parameterValue) {
        throw "$parameterName cannot be empty, please specify a value"
    }
}

Function Install-AzureKeyVaultCertificate {
    Param(
        [string]$keyVaultName,
        [string]$certificateName,
        [string]$certificateVersion,
        [string]$certificateStoreName,
        [string]$certificateStoreLocation,
        [string]$certificateFriendlyName
    )
    
    Write-Output "Retrieving '$certificateName' from '$keyVaultName' ..."
    $getSecretParams = @{
    	VaultName = $keyVaultName
        Name = $certificateName
    }

	if($certificateVersion -notmatch "latest") {
        $getSecretParams["Version"] = $certificateVersion
    }
    
	$cert = Get-AzureKeyVaultSecret @getSecretParams
    $b64 = [System.Convert]::FromBase64String($cert.SecretValueText)
    $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($b64, "", "MachineKeySet,PersistKeySet")
    Write-Output "Certificate information:"
    Write-Output ($pfx | fl | Out-String)
    
    $certPath = "Cert:\$certificateStoreLocation\$certificateStoreName\$($pfx.Thumbprint)"
    if (Test-Path $certPath) {
        "A certificate with thumbprint '$($pfx.Thumbprint)' appears to already exist in the certificate store. Skipping..."
    }
    else {
        Write-Output "Opening certificate store '$certificateStoreName' in '$certificateStoreLocation' ..."
        $store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certificateStoreName, $certificateStoreLocation)
        $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

		if($certificateFriendlyName) {
          Write-Output "Setting certificate friendly name to '$certificateFriendlyName'..."
          $pfx.FriendlyName = $certificateFriendlyName
		}
        
        Write-Output "Adding certificate..."
        $store.Add($pfx)
        $store.Close()
        Write-Output "Certificate added."

        Write-Output "Verifying - searching certificate store for thumbprint '$($pfx.Thumbprint)'..."
        if (Test-Path $certPath) {
            Write-Output "Certificate is successfully imported!"
        }
        else {
            Write-Error "ERROR: Certificate with thumbprint '$($pfx.Thumbprint)' was not found in certificate store '$certificateStoreName' in '$certificateStoreLocation'"
        }
    }
}

$azureSubscriptionId = $OctopusParameters['Azure.GetKeyVaultCertificate.SubscriptionId']
$azureTenantId = $OctopusParameters['Azure.GetKeyVaultCertificate.TenantId']
$azureClientId = $OctopusParameters['Azure.GetKeyVaultCertificate.ClientId']
$azurePassword = $OctopusParameters['Azure.GetKeyVaultCertificate.Password']
$keyVaultName = $OctopusParameters['Azure.GetKeyVaultCertificate.KeyVaultName']
$certificateName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateName']
$certificateVersion = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateVersion']
$certificateStoreName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreName']
$certificateStoreLocation = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreLocation']
$certificateFriendlyName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateFriendlyName']

# Validate that all parameters have values
Write-Output "Validating parameters..."
Validate-Parameter $azureSubscriptionId -parameterName "azureSubscriptionId"
Validate-Parameter $azureTenantId -parameterName "azureTenantId"
Validate-Parameter $azureClientId -parameterName "azureClientId"
Validate-Parameter $azurePassword -parameterName "azurePassword"
Validate-Parameter $keyVaultName -parameterName "keyVaultName"
Validate-Parameter $certificateName -parameterName "certificateName"
Validate-Parameter $certificateVersion -parameterName "certificateVersion"
Validate-Parameter $certificateStoreName -parameterName "certificateStoreName"
Validate-Parameter $certificateStoreLocation -parameterName "certificateStoreLocation"

$azureCreds = New-Object System.Management.Automation.PSCredential($azureClientId, (ConvertTo-SecureString -String $azurePassword -AsPlainText -Force))
Login-AzureRmAccount -ServicePrincipal -SubscriptionId $azureSubscriptionId -TenantId $azureTenantId -Credential $azureCreds

$params = @{
    keyVaultName             = $keyVaultName
    certificateName          = $certificateName
    certificateVersion       = $certificateVersion
    certificateStoreName     = $certificateStoreName
    certificateStoreLocation = $certificateStoreLocation
    certificateFriendlyName     = $certificateFriendlyName
}

Install-AzureKeyVaultCertificate @params

Provided under the Apache License version 2.0.

Report an issue

To use this template in Octopus Deploy, copy the JSON below and paste it into the Library → Step templates → Import dialog.

{
  "Id": "e06e7e2a-5510-4b6d-bd46-22d3bc01291d",
  "Name": "Import Certificate from Azure Key Vault",
  "Description": "Imports a certificate from Azure Key Vault to the tentacle",
  "Version": 5,
  "ExportedAt": "2018-04-17T20:24:57.757Z",
  "ActionType": "Octopus.Script",
  "Author": "nshenoy",
  "Parameters": [
    {
      "Id": "70c9f9dd-22b6-4285-8d8a-f64278de0dc1",
      "Name": "Azure.GetKeyVaultCertificate.SubscriptionId",
      "Label": "Azure Service Principal SubscriptionId",
      "HelpText": "Azure SubscriptionId for the Service Principal account",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    },
    {
      "Id": "9a421884-0f63-417e-b2a9-b1039a1e8bf8",
      "Name": "Azure.GetKeyVaultCertificate.TenantId",
      "Label": "Azure Active Directory Tenant Id",
      "HelpText": "The Azure Active Directory Tenant Id associated with the Service Principal account",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    },
    {
      "Id": "bfb4a0a1-dab2-4c8f-bcb8-51033c35f633",
      "Name": "Azure.GetKeyVaultCertificate.ClientId",
      "Label": "Azure Service Principal Client Id",
      "HelpText": "The Client Id associated with the Service Principal account",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    },
    {
      "Id": "49857bcc-f3a1-4984-a2b1-ddeeca52114a",
      "Name": "Azure.GetKeyVaultCertificate.Password",
      "Label": "Azure Service Principal Password",
      "HelpText": "The password or \"key\" for the Service Principal account",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "Sensitive"
      },
      "Links": {}
    },
    {
      "Id": "220d17f6-070c-4a3d-b742-205d56b27f47",
      "Name": "Azure.GetKeyVaultCertificate.KeyVaultName",
      "Label": "Key Vault Name",
      "HelpText": "The name of the Azure Key Vault",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    },
    {
      "Id": "930e6703-3df4-40bb-b3ae-6d367bf5cc5d",
      "Name": "Azure.GetKeyVaultCertificate.CertificateName",
      "Label": "Certificate Name",
      "HelpText": "The name of the certificate to retrieve from the Key Vault",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    },
    {
      "Id": "b3616901-a27a-4960-984c-59b2388b243e",
      "Name": "Azure.GetKeyVaultCertificate.CertificateVersion",
      "Label": "Certificate Version",
      "HelpText": "_[Optional]_ Enter the specific version of the certificate. Defaults to `latest`.",
      "DefaultValue": "latest",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    },
    {
      "Id": "840f8939-4d87-42c7-9d6e-232d4617b90f",
      "Name": "Azure.GetKeyVaultCertificate.CertificateStoreName",
      "Label": "Certificate Store Name",
      "HelpText": "Certificate store name. E.g. `My`",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "Select",
        "Octopus.SelectOptions": "My|My\nCertificateAuthority|CertificateAuthority\nRoot|Root\nTrustedPeople|TrustedPeople\nTrustedPublisher|TrustedPublisher"
      },
      "Links": {}
    },
    {
      "Id": "15916c8a-709b-4f14-af36-63ee5d3265e9",
      "Name": "Azure.GetKeyVaultCertificate.CertificateStoreLocation",
      "Label": "Certificate Store Location",
      "HelpText": "Certificate store location. E.g. \"LocalMachine\"",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "Select",
        "Octopus.SelectOptions": "LocalMachine|LocalMachine\nCurrentUser|CurrentUser"
      },
      "Links": {}
    },
    {
      "Id": "3915f38e-947f-4313-b207-4e88b5f63969",
      "Name": "Azure.GetKeyVaultCertificate.CertificateFriendlyName",
      "Label": "Certificate Friendly Name",
      "HelpText": "_[Optional]_ A friendly name to give the certificate when importing. E.g. `Client Auth Cert for FooService`",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      },
      "Links": {}
    }
  ],
  "Properties": {
    "Octopus.Action.Script.ScriptSource": "Inline",
    "Octopus.Action.Script.Syntax": "PowerShell",
    "Octopus.Action.Script.ScriptBody": "Import-Module AzureRM.Profile\nImport-Module AzureRM.KeyVault\n\nFunction Validate-Parameter($parameterValue, [string[]]$validInput, $parameterName) {\n    Write-Host \"${parameterName}: ${parameterValue}\"\n    if (! $parameterValue) {\n        throw \"$parameterName cannot be empty, please specify a value\"\n    }\n}\n\nFunction Install-AzureKeyVaultCertificate {\n    Param(\n        [string]$keyVaultName,\n        [string]$certificateName,\n        [string]$certificateVersion,\n        [string]$certificateStoreName,\n        [string]$certificateStoreLocation,\n        [string]$certificateFriendlyName\n    )\n    \n    Write-Output \"Retrieving '$certificateName' from '$keyVaultName' ...\"\n    $getSecretParams = @{\n    \tVaultName = $keyVaultName\n        Name = $certificateName\n    }\n\n\tif($certificateVersion -notmatch \"latest\") {\n        $getSecretParams[\"Version\"] = $certificateVersion\n    }\n    \n\t$cert = Get-AzureKeyVaultSecret @getSecretParams\n    $b64 = [System.Convert]::FromBase64String($cert.SecretValueText)\n    $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($b64, \"\", \"MachineKeySet,PersistKeySet\")\n    Write-Output \"Certificate information:\"\n    Write-Output ($pfx | fl | Out-String)\n    \n    $certPath = \"Cert:\\$certificateStoreLocation\\$certificateStoreName\\$($pfx.Thumbprint)\"\n    if (Test-Path $certPath) {\n        \"A certificate with thumbprint '$($pfx.Thumbprint)' appears to already exist in the certificate store. Skipping...\"\n    }\n    else {\n        Write-Output \"Opening certificate store '$certificateStoreName' in '$certificateStoreLocation' ...\"\n        $store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certificateStoreName, $certificateStoreLocation)\n        $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)\n\n\t\tif($certificateFriendlyName) {\n          Write-Output \"Setting certificate friendly name to '$certificateFriendlyName'...\"\n          $pfx.FriendlyName = $certificateFriendlyName\n\t\t}\n        \n        Write-Output \"Adding certificate...\"\n        $store.Add($pfx)\n        $store.Close()\n        Write-Output \"Certificate added.\"\n\n        Write-Output \"Verifying - searching certificate store for thumbprint '$($pfx.Thumbprint)'...\"\n        if (Test-Path $certPath) {\n            Write-Output \"Certificate is successfully imported!\"\n        }\n        else {\n            Write-Error \"ERROR: Certificate with thumbprint '$($pfx.Thumbprint)' was not found in certificate store '$certificateStoreName' in '$certificateStoreLocation'\"\n        }\n    }\n}\n\n$azureSubscriptionId = $OctopusParameters['Azure.GetKeyVaultCertificate.SubscriptionId']\n$azureTenantId = $OctopusParameters['Azure.GetKeyVaultCertificate.TenantId']\n$azureClientId = $OctopusParameters['Azure.GetKeyVaultCertificate.ClientId']\n$azurePassword = $OctopusParameters['Azure.GetKeyVaultCertificate.Password']\n$keyVaultName = $OctopusParameters['Azure.GetKeyVaultCertificate.KeyVaultName']\n$certificateName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateName']\n$certificateVersion = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateVersion']\n$certificateStoreName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreName']\n$certificateStoreLocation = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateStoreLocation']\n$certificateFriendlyName = $OctopusParameters['Azure.GetKeyVaultCertificate.CertificateFriendlyName']\n\n# Validate that all parameters have values\nWrite-Output \"Validating parameters...\"\nValidate-Parameter $azureSubscriptionId -parameterName \"azureSubscriptionId\"\nValidate-Parameter $azureTenantId -parameterName \"azureTenantId\"\nValidate-Parameter $azureClientId -parameterName \"azureClientId\"\nValidate-Parameter $azurePassword -parameterName \"azurePassword\"\nValidate-Parameter $keyVaultName -parameterName \"keyVaultName\"\nValidate-Parameter $certificateName -parameterName \"certificateName\"\nValidate-Parameter $certificateVersion -parameterName \"certificateVersion\"\nValidate-Parameter $certificateStoreName -parameterName \"certificateStoreName\"\nValidate-Parameter $certificateStoreLocation -parameterName \"certificateStoreLocation\"\n\n$azureCreds = New-Object System.Management.Automation.PSCredential($azureClientId, (ConvertTo-SecureString -String $azurePassword -AsPlainText -Force))\nLogin-AzureRmAccount -ServicePrincipal -SubscriptionId $azureSubscriptionId -TenantId $azureTenantId -Credential $azureCreds\n\n$params = @{\n    keyVaultName             = $keyVaultName\n    certificateName          = $certificateName\n    certificateVersion       = $certificateVersion\n    certificateStoreName     = $certificateStoreName\n    certificateStoreLocation = $certificateStoreLocation\n    certificateFriendlyName     = $certificateFriendlyName\n}\n\nInstall-AzureKeyVaultCertificate @params"
  },
  "Category": "Azure",
  "HistoryUrl": "https://github.com/OctopusDeploy/Library/commits/master/step-templates//opt/buildagent/work/75443764cd38076d/step-templates/import-cert-from-azure-keyvault.json",
  "Website": "/step-templates/e06e7e2a-5510-4b6d-bd46-22d3bc01291d",
  "Logo": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAMAAACahl6sAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAADNQTFRF////AHjXf7vrv931QJrh7/f8EIDaIIncMJHfYKvmz+b3n8zw3+76j8Ttr9XycLPpUKLkkKvYFAAABGZJREFUeNrsnNmCqjoQRc1MEiD8/9cer7Yt2KBJZQC8ez07sKlKTQlcLgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzoUSnt8YxXlFuGHSbIaxvj+fip4btkLn1blkWLaF5v03yLhLOYlVuGYfMOMZzNGxCOzhjTJqFkXnjq3Dr1yyvPI3hGl3Ih3zzHHNKudRstRhX5O58vIcShY67Gq6EPIESlzUWvazaGAOGbvU7ArDu/g8M4o8opDZWvbvPzlL/MMBE8jT9T9W7PbAJlHPTBFRf9yVTEcs63msXz2UHLSgf650G/d5t+wjbxxB2UCMqGrk8/LFSD7uJMeNt5bcJCyQZyAe5Fo9KYfWS2flQrr4b4tpuzaeWjYs49rt9LHf9uZD7+VbyVi9EBNrjYjuq2sxQOrl+p+HuBVu45qvqfq691ttYFQ5KyKbyJgaIY/NGxrlWZwlwGvmvu1oY3PuAv0niTq6tZ78jk//9uc1r1r4lQki7y7sp2Tu4V1y2iLoqFTqi1lIGcpFiebrZNZ1dOkF0cCIlO8jQ47nCkam9Lilz9GhDF1I6XGLzfnhwDIIZVfI7+8SSgfHsijqXENOGJF5QorG4EcW0OrScqX/dDrXpr70Ut/BII+1OfECPuYz/NWxYmgrCsUskxPvyhgmrw+WGZ6lGTuOlIyCYWTFyWjpM5KIZRUIOwjRNYRQ6tZF9BXtk8hWAHPtLNJ727Fq0JSkC1FDRRF0Jalj0d5qVh2KEpM2TuSsCYTCT6ZkdmFYI9LrYp5QayWbo6NXlZwcRD/61pth5Fq5EX423QQxNjhqWvvklkljOLkYjrmphXPZOJOk6Pg7HKMsrtQKcowzZoK3rx1ZUelGMdQA/HaKkjAt2RgqpZeYqbNbH7Hp2ct4nqfSPOfe0ftiSTZJydOV6rG5bQbyLK+nRuCC0343PzDgiOXyQA5c14BTZi98uR/5KJ1SnatLdoO50WWBQZPTq0VgsklU3h932actuo17ayrHrb/3ykiegd3KbqF2wbV6RrlsJ07yLcpsWFTul9RyK6ZScr+tk7oNrFj0o7HQUlj4EiEvJ6rPLKSmlMZCrksl1OnLaRkxc+/HB1naMhNtT/6yM2bDs6azCRHrM3aVPN7aW8irD/10B8njpAMcsl8okXcdKrl4sPsLmQVy/Sj90ucPRc/d/Bxxj+dXSpCayen32D+hLi16MsIV8gfCXrYp6ySsiJKRUF0XXiLpVbFU+fNv4r7mOwhFsX4ZdwpSi1DYs2jb6ebZ9788cblTzMrYhu7sf/17IFdtuviJ2ioHA6pMHkoH4CLUeMBU7iGkxuM/YgcdderF9ibRdc7O982F1HpYhjfWUe+x5a6pjop9iNLfoePvlsdZdTSMwfxSmTY20Q0eHnUNzga1edeNmmqbg18aMVR1L9vwSXHF9TfIWBxpKLs2hj3eQeBC0USvp2HHF3eIkRdhFOd6ER8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/I/4J8AAo/80BciBec4AAAAASUVORK5CYII=",
  "$Meta": {
    "Type": "ActionTemplate"
  }
}

History

Page updated on Tuesday, April 17, 2018