Skip to content

[BUG]Failed to download PEM certificate from azure.keyvault with failure "The provided key does not match the public key for this certificate" #44596

New issue
New issue
Open
Open
[BUG]Failed to download PEM certificate from azure.keyvault with failure "The provided key does not match the public key for this certificate"#44596

Description

@cdlliuy

cdlliuy
openedon Jun 16, 2024

Library name and version

Azure.Security.KeyVault.Certificates 4.6.0; Azure.Core 1.40.0; Azure.Identity 1.11.4

Describe the bug

when using CertifcatesClient to download certificates client.DownloadCertificateAsync(certname) for a PEM format cert in Azure keyvault, I got exception:


System.Reflection.TargetInvocationException
  HResult=0x80131604
  Message=Exception has been thrown by the target of an invocation.
  Source=System.Private.CoreLib
  StackTrace:
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)
   at Azure.Core.PemReader.CreateRsaCertificate(Byte[] cer, Byte[] key, X509KeyStorageFlags keyStorageFlags)
   at Azure.Core.PemReader.LoadCertificate(ReadOnlySpan`1 data, Byte[] cer, KeyType keyType, Boolean allowCertificateOnly, X509KeyStorageFlags keyStorageFlags)
   at Azure.Security.KeyVault.Certificates.CertificateClient.<DownloadCertificateAsync>d__19.MoveNext()
   at Azure.Security.KeyVault.Certificates.CertificateClient.<DownloadCertificateAsync>d__18.MoveNext()
 ..

  This exception was originally thrown at this call stack:
    [External Code]

Inner Exception 1:
ArgumentException: The provided key does not match the public key for this certificate. (Parameter 'privateKey')

For the cert itself, it is automated generated by Azure Keyvault
When generating the cert with PKCS#12, the DownloadCertificate function works correctly.
But when generating with PEM by just changing the content type to PME in below, the same code failed.
image

I read the code of DownloadCertificate . It looks like to have specific handling for PEM format already.
Anything wrong here?
__

Expected behavior

see above description

Actual behavior

see above description

Reproduction Steps

  1. register a domain in One-Cert system with private AME issuer only
  2. generate a cert for this domain with PEM format
  3. do DownloadCertificate func

Environment

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.KeyVaultcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.feature-requestThis issue requires a new behavior in the product in order be resolved.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Azure SDK for Key Vault

  • Status

    Not Started

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions