Blogginlägg

Using Azure Key Vault with Azure Web Apps – “The parameter KeyVault Certificate has an invalid value.” [Solved ✓]

Av Peter Örneholm | Blogg | 3 januari 2017

TL;DR: If you receive “Bad Request (51008): The parameter KeyVault Certificate has an invalid value” as part of your App Service deployment when using an SSL cert hosted in Azure Key Vault you have probably uploaded the certificate in the wrong format, maybe from the UI in the Azure Portal. There is a great blogpost with a Powershell script that tells you how to convert and upload it in the correct format (application/x-pkcs12).

The longer story

Recently I started exploring the possibility to use Azure Key Vault store our SSL certificate used to enable HTTPS for our company website hosted in Azure App Service. Azure Key Vault enables secure key management and makes it really easy to roll out new keys, passwords and certificates whenever these needs to be updated.

As of today there is no way of enabling the use of a certificate in a web app from Azure Key Vault through the portal, instead you need to use the API: s. In my case I was using ARM Templates to do the deployment.

During the deployment I got the following error (which wasn’t that helpful to be honest):

Resource Microsoft.Web/certificates 'peterorneholm' failed with message '{
  "Code": "BadRequest",
  "Message": "The parameter KeyVault Certificate has an invalid value.",
  "Target": null,
  "Details": [
    {
      "Message": "The parameter KeyVault Certificate has an invalid value."
    },
    {
      "Code": "BadRequest"
    },
    {
      "ErrorEntity": {
        "Code": "BadRequest",
        "Message": "The parameter KeyVault Certificate has an invalid value.",
        "ExtendedCode": "51008",
        "MessageTemplate": "The parameter {0} has an invalid value.",
        "Parameters": [
          "KeyVault Certificate"
        ],
        "InnerErrors": null
      }
    }
  ],
  "Innererror": null
}'

It turned out (after some troubleshooting) that the issue was that the certificate I had stored in Azure Key Vault was in a wrong format. I had used the UI in the portal to upload and configure the secret, but apperently the certificates you upload in the portal are supposed to be consumed from VMs and are not compatible with App Service.

image

Certificates used by App Service first needs to be converted to (and marked as) application/x-pkcs12. The easiest way to do so is to use a PowerShell script. The App Service team does provide one (and some good instructions) in this blogpost:
https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/

Hopefully this will help you out if you encounter the same issue I had :)

Till inlägget