Export an Azure App Service Certificate PFX PowerShell

I found this article “Creating a local PFX copy of App Service Certificate” here and wanted to do a reproduction of it.

I wrote an article here where I discussed “How (I) configured an App Service Certificate for my Azure App Service” which might help to get a broader perspective of what and how to configure an App Service Certificate.

To execute the PowerShell script provided at the site mentioned in the first line of this article and shown in Figure 2, requires some information like Certificate Name, Resource Group, Email Id and Subscriptions.  All of that information, excluding the Email Id can be found on the App Services Certificates –> Certificate Properties blade, as seen in Figure 1.  The Email Id I used was the one linked to the Subscription in which the certificate exists.


Figure 1, App Service Certificate, certificate properties

Next, execute the PowerShell script below and shown in Figure 2.

$appServiceCertificateName = ""
$resourceGroupName = ""
$azureLoginEmailId = ""
$subscriptionId = ""

Set-AzureRmContext -SubscriptionId $subscriptionId

$ascResource = Get-AzureRmResource -ResourceName $appServiceCertificateName -ResourceGroupName $resourceGroupName -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -ApiVersion "2015-08-01"
$keyVaultId = ""
$keyVaultSecretName = ""

$certificateProperties=Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
$certificateName = $certificateProperties[0].Name
$keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
$keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

$keyVaultIdParts = $keyVaultId.Split("/")
$keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
$keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]
Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $azureLoginEmailId -PermissionsToSecrets get
$secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
$pfxCertObject=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\appservicecertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"

I copied the above PowerShell script from this post.  “Creating a local PFX copy of App Service Certificate”


Figure 2, App Service Certificate, export PFX file using PowerShell

The script ran pretty fast and it did indeed export the PFX file and provided me a password.  I imported it into CERTMGR, which I discuss a little here and here, so that I could look at the details.  See Figure 3.


Figure 3, App Service Certificate, export PFX file using PowerShell and import into CERTMGR

The goal was to move the certificate to another Azure App Service Web App in another subscription.  So I accessed the Azure Portal, as seen in Figure 4, and was able to add the certificate to the new Web App.  Selecting the Upload Certificate open a new blade where you can enter the PFX file and enter the password generated by the PowerShell script executed previously.


Figure 4, App Service Certificate, move to another subscription, use an App Service Certificate with IIS, export PFX

Comments (1)

  1. I liked this better then the original one you referenced, thank you

    This didn’t work for me, I had to use –ObjectId with the id of my login for the Set-AzureRmKeyVaultAccessPolicy line. I’m not sure if that was due to my Azure AD setup or another change. But maybe it will help someone else

Skip to main content