Generate Self Signed Certificate with SANs using Azure CLI

Quite often you need a certificate that does not necessary need to be properly signed because it will only be used for testing purposes or by your own services. Good example when you are creating a Azure Service Fabric Cluster. One option is to use the Azure Portal to generate the certificate by filling out the details, but if you want to automate the process that is not an option.

Using PowerShell to generate certificate on a Windows machine or openssl on Linux is well documented, but if you want your cert directly generated to an Azure Key Vault you must use Azure modules of  PowerShell or Azure CLI.

If you need  a simple self signed certificate, you can do that by using the  az keyvault certificate create command, the Azure documentation has a sample how to use this:

This will create a certificate in the “vaultname” KeyVault with the name “cert1“.
What if you want some more, e.g. to add subject or even multiple entries to the SAN, what if you want to change the automatic renewal (that is the default) to an email alert, what if you want to explicitly specify the usage of the certificate?
The -p "$(az keyvault certificate get-default-policy)" was quite suspicious. The “az keyvault certificate create” documentation says:

--policy -p

JSON encoded policy defintion. Use @{file} to load from a file.

If there was a default policy, there must be a way to customize that – I thought… As usual Google was my best friend, so I found some info in the Key Vault REST API Documentation. I wanted to use the cert with multiple domain names, so SubjectAlternativeNames option looked promising, however the “dns_names” parameter did not work as it was documented. That was when I realized that there was a --scaffold  parameter of the az keyvault certificate get-default-policy  that generates a fully formed policy structure with default values. Here is how to output looks like:

All you need is to save this to a file (e.g. cert_policy.json ), modify the relevant sections and give it a go like this:

Voila, your certificate is available in the Key Vault.

The reason I really like this method is that the certificate itself does not need to leave a fully controlled environment, the Azure Key Vault.

Welcome to my Tech Blog

I learn something new every day. I learn from my younger (sometimes form older 🙂 ) colleagues, from blog posts, from conference speakers, from YouTube videos and I also learn by making my hands dirty and spending hours with trying out something that usually fails for the first try.

As I’m getting older it is harder to remember all the tricks that helped me, so I started to take notes. Sometimes when there is something to be solved I tell my colleagues that I think I had that before, let me try to find it in my notes.

This blog is a collection of my notes so it is not up to my bandwidth to find something, but up to you. 🙂

Please send my a message if you see something that is incorrect or if you have any comment: