slawek/azure-acme-provisioner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update importCertificate method to handle certificate policy updates and improve PFX import logic

Browse Source 
fix: modify pfxToPem function to export private key as PKCS#8 for Azure Key Vault compatibility
This commit is contained in:
Sławek Koszewski
2026-05-23 10:26:29 +02:00
parent 4867672562
commit 668f3c3e28
2 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/lib/keyvault.ts
+12 -18
View File
@@ -1,6 +1,7 @@
import { TokenCredential } from '@azure/identity';
import {
CertificateClient,
CertificatePolicy,
KeyVaultCertificateWithPolicy,
} from '@azure/keyvault-certificates';
import { SecretClient } from '@azure/keyvault-secrets';
@@ -48,24 +49,17 @@ export class KeyVaultStore {
async importCertificate(name: string, cert: string | Buffer, format: 'pem' | 'pfx' = 'pem', password?: string): Promise<void> {
const certBuffer = typeof cert === 'string' ? Buffer.from(cert) : cert;
// The high-level CertificateClient spreads `policy` into import params but the
// generated serializer reads `certificatePolicy` — a key mismatch that silently
// drops content_type from the REST body. Call the internal client directly so
// secret_props.content_type reaches Azure (required for PFX; without it Azure
// defaults to PEM parsing and rejects binary PFX data).
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const internalClient = (this.certClient as any).client;
await internalClient.importCertificate(name, {
base64EncodedCertificate: format === 'pem'
? certBuffer.toString('ascii')
: certBuffer.toString('base64'),
password,
certificatePolicy: {
secretProperties: {
contentType: format === 'pfx' ? 'application/x-pkcs12' : 'application/x-pem-file',
},
},
}, {});
const contentType = format === 'pfx' ? 'application/x-pkcs12' : 'application/x-pem-file';
try {
// When a certificate already exists, Azure validates the incoming bytes against
// its stored policy's content_type. Updating the policy first tells Azure to
// expect the new format; without this, converting PEM→PFX (or vice-versa)
// fails because Azure tries to parse binary PFX data as PEM.
await this.certClient.updateCertificatePolicy(name, { contentType } as CertificatePolicy);
} catch {
// Certificate doesn't exist yet — no policy to update, proceed to import.
}
await this.certClient.importCertificate(name, certBuffer, { password });
}
}