Import-AzKeyVaultCertificate: Key not valid for use in specified state

[lynshi]

Description

I am trying to import a .p12 certificate to Azure Key Vault but am getting an error.

Import-AzKeyVaultCertificate: Key not valid for use in specified state.

Some links online indicate a password may be required to import the certificate, but the certificate does not have one and our equivalent Azure CLI command does not pass a password either.

Issue script & Debug output

PS > Import-AzKeyVaultCertificate -FilePath .\$FileName.p12 -Name $CertificateName -VaultName $VaultName
DEBUG: 10:22:50 AM - ImportAzureKeyVaultCertificate begin processing with ParameterSet 'ImportCertificateFromFile'.
DEBUG: 10:22:50 AM - using account id '<REDACTED>'...
Import-AzKeyVaultCertificate: Key not valid for use in specified state.
DEBUG: AzureQoSEvent: CommandName - Import-AzKeyVaultCertificate; IsSuccess - False; Duration - 00:00:00.3343187; Exception - Key not valid for use in specified state.;
DEBUG: Finish sending metric.
DEBUG: 10:22:52 AM - ImportAzureKeyVaultCertificate end processing.

Environment data

PS > $PSVersionTable
Name Value
---- -----
PSVersion 7.1.3
PSEdition Core
GitCommitId 7.1.3
OS Microsoft Windows 10.0.19043
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Module versions

PS > Get-Module Az*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.3.0 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-…
Script 3.4.4 Az.KeyVault {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, …

Error output

PS > Resolve-AzError
DEBUG: 10:30:54 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 10:30:54 AM - using account id '<REDACTED>'...
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.



HistoryId: 27



ErrorCategory : CloseError: (:) [Import-AzKeyVaultCertificate], WindowsCryptographicException
ErrorDetail :
InvocationInfo : {Import-AzKeyVaultCertificate}
Line : Import-AzKeyVaultCertificate -FilePath "$Filename.p12" -Name
$CertificateName -VaultName $VaultName
Position : At line:1 char:1
+ Import-AzKeyVaultCertificate -FilePath "<REDACTED> …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BoundParameters : {}
UnboundParameters :
HistoryId : 27



Resolve-AzError: Collection was modified; enumeration operation may not execute.
DEBUG: AzureQoSEvent: CommandName - Resolve-AzError; IsSuccess - False; Duration - 00:00:00.1092612; Exception - Collection was modified; enumeration operation may not execute.;
DEBUG: Finish sending metric.
DEBUG: 10:30:55 AM - ResolveError end processing.

[BethanyZhou]

Hi @lynshi ,

The error is thrown by following codes when exporting

// X509Certificate2Collection userProvidedCertColl = InitializeCertificateCollection();
byte[] base64Bytes = userProvidedCertColl.Export(X509ContentType.Pfx);

So could you check your p12 file whether contains private key and your private key whether is not marked as exportable?

[lynshi]

Short answer: The p12 file contains the private key, and I'm pretty certain the private key can be exported with no password.

Long answer: The certificate was generated with step certificate p12 --no-password --insecure so that the private key is written unencrypted. I was just able to upload the certificate with the following Azure CLI command, and it looks ok in the Azure Portal.

az keyvault certificate import --file $filename.p12 \
                               --name $certName \
                               --vault-name $kvName

I guess Azure PowerShell expects a password for the private key? Incidentally, I tried to view the certificate with openssl pkcs12, and that also errored out when decrypting the private key (it required a 4-character minimum passphrase for reading the private key).

[BethanyZhou]

Thank you for your feedback, already identified the root cause. Will fix this issue in current sprint. New module will be delivered to customer on 02/01 according to our schedule.