Introduction

Azure App Service Certificates provide a convenient way to purchase SSL certificates and assign them to Azure Apps right from within the portal. These certificates can also be exported from the portal as PFX files to be used elsewhere.

Exporting the Certificate

App Service Certificates are stored in KeyVault when you provision them, so we need to talk to KeyVault to extract the certificate and create the PFX file. This can be achieved with some Azure PowerShell. The following snippet gets the certificate from KeyVault and then exports this as a password protected PFX file that you can then import elsewhere. When asked to login you will need to use credentials that at a minimum have read access to the secrets in KeyVault.

#Connect to Azure and select subscription
Login-AzureRmAccount
Select-AzureRMSubscription -SubscriptionName "<name of subscription containing keyvault>"
   
#Obtain the secret from keyvault
$vaultName = '<name of Keyvault>'
$secretName = '<name of secret containing certificate>'
$certString = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
   
#Create a PFX from the secret and write to disk
$kvSecretBytes = [System.Convert]::FromBase64String($certString.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$password = '<required password for PFX>'
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
$pfxPath = "C:\temp\$secretName.pfx"
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

Obviously, the PFX file you extract is a copy of the certificate as it stands at the point you extract it. If you re-key or renew the certificate in KeyVault you will need to re-export the PFX and replace it where ever it is used.