I am using Azure Key Vault to protect our keys and secrets, but I am unsure how I can use the KeyBundle I retrieve using the .net SDK. How can I create an X509Certificate2 object?

When you import / create a certificate in KeyVault, 3 entities are created:

  • Certificate - contains all the relevant details about the certificate, including its public part (i.e. public key, validity period, thumbprint etc.)

  • Secret - contains the private key (which is the private part of the certificate) in base64

  • Key - I don't know, but irrelevant for this thread.

You could create X509Certificate2 object with either the Certificate object or the Secret object.

In case you want the X509Certificate2 to contain the private key, then of course you would need to fetch the Secret entity's value and do the following:

SecretBundle certificatePrivateKeySecretBundle =
    await keyVaultClient.GetSecretAsync(certificateIdentifierSecretPart);

byte[] privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value);
X509Certificate2 certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string) null, X509KeyStorageFlags.MachineKeySet);

The certificateIdentifierSecretPart equals the certificate's secret part path: https://<vault name>.vaults.azure.net/secrets/<certificate name>

Note the /secrets/ path.

    This worked for me: keyVaultClient.GetSecretAsync(<vaultAddress without secrets in path>, <certificate name>)
    – tobbenb3
    Commented Jul 26, 2018 at 14:15
  • In .Net Core 2.1 I am using Microsoft.Azure.KeyVault; but KeyVaultClient does not contain definition for GetSecretAsync. Have Azure SDK installed / updated. :/
    – ttugates
    Commented Jul 31, 2018 at 20:08
    The certificateIdentifierSecretPart can be determined from the KeyBundle: var kb = await keyVaultClient.GetCertificateAsync("https://<vault-name>.vault.azure.net", "<cert-name>"); var certificateIdentifierSecretPart = kb.SecretIdentifier.Identifier; Then get the SecretBundle as shown above. Commented Jan 26, 2019 at 1:53
  • Great answer! Any idea where this is documented (specifically the /secrets/ path)? Commented Jun 24, 2019 at 12:57
    The certificate represents the certificate just created, the Key represents the private part of the certificate, and the Secret has the certificate in PFX format (just as if you had uploaded a PFX as a Secret). Since the certificate created above is exportable, the Secret contains the Private portion of the key as well. To recreate the certificate locally in memory, we use the below code. Refer to: rahulpnath.com/blog/signing-a-pdf-file-using-azure-key-vault
    – Meng Li
    Commented Jun 3, 2020 at 5:28

November 2020 Update:

In the current version of Azure Key Vault, Certificates are a first class concept rather than a type of Secret.

If your Key Vault instance already has a certificate with an exportable private key, you'd fetch it and hydrate an X509Certificate2 as follows:

Create the required clients using a DefaultAzureCredential

var certClient = new CertificateClient(new Uri("https://yourKeyVault.vault.azure.net/"), new DefaultAzureCredential());
var secretClient = new SecretClient(new Uri("https://yourKeyVault.vault.azure.net/"), new DefaultAzureCredential());

Get the certificate, which includes a link to the private key secret.

Note: The latest (4.2.0 beta) version of the Key Vault Secrets library includes a helper class called KeyVaultSecretIdentifier that does this parsing for you.

Response<KeyVaultCertificateWithPolicy> certResponse = await certClient.GetCertificateAsync("testCert");

// If using client version 4.2.0 or later
KeyVaultSecretIdentifier identifier = new KeyVaultSecretIdentifier(certResponse.Value.SecretId);

// Else, Get the secretId and parse out the parts needed to fetch the secret.
Uri secretId = certResponse.Value.SecretId;
var segments = secretId.Segments;
string secretName = segments[2].Trim('/');
string version = segments[3].TrimEnd('/');

Get the secret for the certificate and use it to construct a new X509Certificate2.

// If using client version 4.2.0 or later
Response<KeyVaultSecret> secretResponse = await secretClient.GetSecretAsync(identifier.Name, identifier.Version);

// else
Response<KeyVaultSecret> secretResponse = await secretClient.GetSecretAsync(secretName, version);

KeyVaultSecret secret = secretResponse.Value;
byte[] privateKeyBytes = Convert.FromBase64String(secret.Value);

var cert = new X509Certificate2(privateKeyBytes);

For more information about the latest Key Vault Certificate and Secret clients, see their respective README docs here:

Azure.Security.KeyVault.Certificates (migration guide from the old version)

Azure.Security.KeyVault.Secrets (migration guide from the old version)

    I wanted to add to this that the old Microsoft.Azure.KeyVault packages are deprecated. These new packages are faster, easier to customize, under active development (by Christopher and myself, no less), and more. Check out: aka.ms/azsdk/intro for more benefits of migrating.
    – Heath
    Commented Nov 13, 2020 at 18:14
  • Thanks for this information. I noticed that, in order to get a X509Certificate2 object from the Key Vault certificates, the Azure.Security.KeyVault.Secrets client is enough because the name of the certificate can be used as a parameter of the GetSecretAsync. I also noticed the identity that will access the Key Vault must have the Secret Get access policy (and not the Certificate Get access policy). Commented Nov 16, 2020 at 15:06
    @michaelmaillot You are correct about the secret name, however that is an implementation detail that is not guaranteed to be consistent. It may end up always being true that the secret name and the certificate names will match, but the extra call just ensures that secret name is always accurate. Commented Nov 16, 2020 at 16:52
  • Amazing, you saved my day Commented Oct 13, 2021 at 2:16

You cannot use the KeyBundle result as an X509Certificate2 object because it simply represents the public key portion of a key pair here (no issuer). See the methods in KeyVaultClientExtensions for functions to encrypt data, verify signatures, etc. using this KeyBundle object.

  • Thanks for your comment, I misunderstood how how to use keys with key vault. I found a great explanation here for what I wanted to do (store a pfx in the key vault): stackoverflow.com/questions/33728213/… Commented May 16, 2016 at 8:58

When using the new Azure.Security.KeyVault.* libraries and to build on what Christopher Scott has answered, you can load all active and non-expired versions and skip the GetCertificate and parsing step with the following:

public static IEnumerable<X509Certificate2> LoadCertificateVerisons(
    string keyVaultName,
    string certificateName)
    var keyVaultUrl = new Uri($"https://{keyVaultName}.vault.azure.net");
    var certificateClient = new CertificateClient(keyVaultUrl, new AzureCliCredential());
    var secretClient = new SecretClient(keyVaultUrl, new AzureCliCredential());

    var versions = certificateClient.GetPropertiesOfCertificateVersions(certificateName).ToArray();

    foreach (var certificate in versions)
        if (!certificate.Enabled.GetValueOrDefault(false) ||
            certificate.ExpiresOn <= DateTimeOffset.UtcNow) continue;

        var certificateSecret = secretClient.GetSecret(certificate.Name, certificate.Version).Value;
        var privateKey = Convert.FromBase64String(certificateSecret.Value);
        yield return new X509Certificate2(privateKey, (string) null, X509KeyStorageFlags.MachineKeySet);
  • Important note: the additional options in the certificate creation command were important. I always got "file not found" errors without the additional parameters in : new X509Certificate2(privateKey, (string) null, X509KeyStorageFlags.MachineKeySet);
    – Kerry
    Commented Jan 29, 2022 at 16:45

