C#: Retrieving Certificate with full chain from Azure KeyVault

Question

When downloading a version of certificate from Azure Keyvault, i have not been able to get the full certificate chain. p.s. I am on .Net Framework 4.7.2.

When I import the downloaded certificate manually to the local store and then export it to a file with a password. And Later access the certificate, i am able to get the full chain, if i load that certificate in C#.

Is there a way to get the full chain directly from Keyvault?

Here is the Code Snippet.

DownloadCertificateOptions downloadCertOptions = new DownloadCertificateOptions(certificateProperties.Name);
downloadCertOptions.Version = certificateProperties.Version;
downloadCertOptions.KeyStorageFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
cert = CertificateClient.DownloadCertificate(downloadCertOptions);

byte[] exportedCert = cert.Export(X509ContentType.Pfx);
//byte[] exportedCert = cert.Export(X509ContentType.Pkcs12);

X509Certificate2Collection certificates = new X509Certificate2Collection();
string password = "";
X509Certificate2Collection collection - certificates.Import(rawData, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

Console.WriteLine($"Collection has {collection.Count} certs");

**Expecting 3 Certs (Child, Intermediate and root) **, but only getting one (the child Cert).

Answer 1

to get the complete certificate including its private key, then you need to download it as a secret from Azure Key Vault, getting it as a certificate will only include its public key.

Answer 2

Just ran into the same issue: Basically you want to download the full secret then init a collection from the raw bytes. This will contain the full chain.

using System;
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

            var secretClient = new SecretClient(new Uri("https://somekb.vault.azure.net/"), credential);

            KeyVaultSecret secret = secretClient.GetSecret("mycertname");

            var privateKeyBytes = Convert.FromBase64String(secret.Value);
            X509Certificate2Collection x509Certificate2Collection = new X509Certificate2Collection();
            x509Certificate2Collection.Import(privateKeyBytes, (string)null, X509KeyStorageFlags.PersistKeySet);

            foreach (X509Certificate2 certificate in x509Certificate2Collection)
            {
                X509Store x509Store2 = new X509Store(StoreLocation.LocalMachine);
                x509Store2.Open(OpenFlags.ReadWrite);
                x509Store2.Add(certificate);
                x509Store2.Close();
            }