Why is a certificate downloaded from Azure Key Vault different than the file I uploaded

Question

I just uploaded a certificate to Azure Key Vault, then compared it to the file locally. The two are very different.

var cwd = Directory.GetCurrentDirectory();
var fileCertBytes = File.ReadAllBytes(Path.Join(cwd, "redislabs_user.pfx")); // 3365 bytes
var fileCert = new X509Certificate2(fileCertBytes, "");

var client = new CertificateClient(new Uri($"https://mycompany.vault.azure.net/"), new DefaultAzureCredential());
var vaultCertBytes = client.GetCertificate("redislabsuser").Value.Cer; // 865 bytes
var vaultCert = new X509Certificate2(vaultCertBytes, "");

var same = fileCert.Equals(vaultCert); // returns true

Here's my problem: The X509 Certificates generated from both seem to be the same, but when I try to use them to connect to Redis Labs, the local file works, but the one from Key Vault does not.

I've verified that the thumbprints are the same (and everything else I can), but there's obviously a TON of data missing (2500 bytes, apparently), that Redis needs. How do I ensure I get ALL the data of the certificate from Key Vault?

Answer 1

I think the issue is that when you get the certificate from Azure Key Vault you only retrieve the public key part of it. To get the actual private key, then you need to get it as a secret. Yes, it is not intuitive.

see

• https://docs.microsoft.com/en-gb/samples/azure/azure-sdk-for-net/get-certificate-private-key/
• https://github.com/Azure/azure-sdk-for-net/issues/12083
• https://github.com/Azure/azure-sdk-for-net/issues/12742