2.參考官方文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
Function Export-AppServiceCertificate { Param( [Parameter(Mandatory=$true,Position=1,HelpMessage="ARM Login Url")] [string]$loginId, [Parameter(Mandatory=$true,HelpMessage="Subscription Id")] [string]$subscriptionId, [Parameter(Mandatory=$true,HelpMessage="Resource Group Name")] [string]$resourceGroupName, [Parameter(Mandatory=$true,HelpMessage="Name of the App Service Certificate Resource")] [string]$name ) Login-AzureRmAccount Set-AzureRmContext -SubscriptionId $subscriptionId $ascResource= Get-AzureRmResource -ResourceId "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.CertificateRegistration/certificateOrders/$name" $certProps = Get-Member -InputObject $ascResource.Properties.certificates[0] -MemberType NoteProperty $certificateName = $certProps[0].Name $keyVaultId = $ascResource.Properties.certificates[0].$certificateName.KeyVaultId $keyVaultSecretName = $ascResource.Properties.certificates[0].$certificateName.KeyVaultSecretName $keyVaultIdParts = $keyVaultId.Split("/") $keyVaultName = $keyVaultIdParts[$keyVaultIdParts.Length - 1] $keyVaultResourceGroupName = $keyVaultIdParts[$keyVaultIdParts.Length - 5] Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $loginId -PermissionsToSecrets get Write-Host "Get Secret Access to account $loginId has been granted from the KeyVault, please check and remove the policy after exporting the certificate" $secret = Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName $pfxCertObject= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) $pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_}) $currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath [Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath [io.file]::WriteAllBytes(".\appservicecertificate.pfx",$pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,$pfxPassword)) ## 如果您確定該帳戶未用於任何其他訪問,請取消注釋下面兩行指令命令刪除存取原則或登錄portal刪除存取原則(記得要變金鑰保存庫所在資源群組名稱、金鑰保存庫名稱)。 # Remove-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVaultResourceGroupName -VaultName $keyVaultName -UserPrincipalName $loginId # Write-Host "Access to account $loginId has been removed from the KeyVault" Write-Host "Created an App Service Certificate copy at: $currentDirectory\appservicecertificate.pfx" Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required." Write-Host "PFX password: $pfxPassword" } Export-AppServiceCertificate -loginId yourarmemail@domain.com -subscriptionId yoursubid -resourceGroupName resourceGroupNameOfYourAppServiceCertificate -name appServiceCertificateName |
需要提供的是要登陸Azure的帳號、訂閱ID、憑證所在的資源群組、憑證的名稱
執行後會顯示匯出的憑證路徑及密碼
因為預設情況,會在金鑰保存庫中的存取原則新增一筆執行指令帳號的原則,如需刪除,可以在Portal中刪除,原文中也有說明,也可以執行的時候就取消注釋刪除的指令
https://go.microsoft.com/fwlink/?linkid=843155