Azure에서 인증서 백업받기

728x90

 

 

파라메터 준비

 

준비된 스크립트를 이용해 인증서를 추출해야 합니다.

그 전에 스크립트에 사용될 파라메터 값을 준비 해야 합니다.

 

파워쉘에서 사용될 파라메터 값들을 준비하기위해 Azure 포탈로 이동합니다.

 

TenantID

 

SubscriptionID, Resource Group Name, App Service Certificate Name

 

 

 

PowerShell 실행

 

powershell 스크립트 준비

Azure에 등록된 인증서를 pfx로 추출하는 powershell 스크립트 입니다.

pfx_export.ps1

0.00MB

 

반응형

Function Export-AppServiceCertificate
{
###########################################################

    Param(
    [Parameter(Mandatory=$true,Position=1,HelpMessage="ARM Login Url")]
    [string]$loginId,

    [Parameter(Mandatory=$true,HelpMessage="Tenant Id")]
    [string]$tenantId,

    [Parameter(Mandatory=$true,HelpMessage="Subscription Id")]
    [string]$subscriptionId,

    [Parameter(Mandatory=$true,HelpMessage="Resource Group Name")]
    [string]$resourceGroupName,

    [Parameter(Mandatory=$true,HelpMessage="Name of the App Service Certificate Resource")]
    [string]$name
)

#####################################################
    Login-AzAccount -Tenant $tenantId 
    Set-AzContext -SubscriptionId $subscriptionId

    ## Get the KeyVault Resource Url and KeyVault Secret Name were the certificate is stored
    $ascResource= Get-AzResource -ResourceId "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.CertificateRegistration/certificateOrders/$name"
    $certProps = Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty
    $certificateName = $certProps[0].Name
    $keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId
    $keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName

    ## Split the resource URL of KeyVault and get KeyVaultName and KeyVaultResourceGroupName
    $keyVaultIdParts = $keyVaultId.Split("/")
    $keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1]
    $keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5]

    ## --- !! NOTE !! ----
    ## Only users who can set the access policy and has the the right RBAC permissions can set the access policy on KeyVault, if the command fails contact the owner of the KeyVault
    Set-AzKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $loginId -PermissionsToSecrets get
    Write-Host "Get Secret Access to account $loginId has been granted from the KeyVault, please check and remove the policy after exporting the certificate"

    ## Getting the secret from the KeyVault
    $secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName
    $pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
    $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
    $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
    [io.file]::WriteAllBytes(".\" + $name + ".pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword))

    ## --- !! NOTE !! ----
    ## Remove the Access Policy required for exporting the certificate once you have exported the certificate to prevent giving the account prolonged access to the KeyVault
    ## The account will be completely removed from KeyVault access policy and will prevent to account from accessing any keys/secrets/certificates on the KeyVault, 
    ## Run the following command if you are sure that the account is not used for any other access on the KeyVault or login to the portal and change the access policy accordingly.
    # Remove-AzKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $loginId
    # Write-Host "Access to account $loginId has been removed from the KeyVault"

    # Print the password for the exported certificate
    Write-Host "Created an App Service Certificate copy at: $currentDirectory\$name.pfx"
    Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
    Write-Host "PFX password: $pfxPassword"
}


Export-AppServiceCertificate -loginId "" -tenantId "" -subscriptionId "" -resourceGroupName "" -name ""

 

 

스크립트 실행

위 에서 준비한 파라메터 값들을 스크립트에 채워주고 실행합니다.

 

 

정상적으로 실행이 되면 아래출력 내용과 해당 경로에 pfx파일이 추출 됩니다.