英文:
Why Have Certificates with non-Exportable Keys in Azure Key Vault?
问题
我感觉我一定是漏掉了什么明显的东西,或者我太迟钝了。如果我使用密钥保管库生成自签名证书,或者导入带有私钥的PFX,但不将私钥标记为可导出,据我所知,从API的角度来看,我几乎无法对该证书执行任何操作。也许我可以将其与网关一起使用以终止SSL之类的操作,但我找不到任何解密或签名数据的方式,或者以与密钥相同的方式对其进行有用的操作。至少标记为不可导出的密钥仍然具有解密和签名API。在密钥保管库中没有可导出密钥的证书看起来像是砖块。有没有什么有用的东西可以用这些证书做呢?
英文:
I feel like I must be missing something obvious or I'm being very dense. If I generate a self-signed certificate with Key Vault, or import a PFX with a private key, but do not mark the private key as exportable, as far as I can tell there is literally nothing I can do with that certificate from an API standpoint. Perhaps I can use it with a Gateway to terminate SSL or something, but I can't find any way to decrypt or sign data with them, or do anything useful with them the way I can with Keys. At least Keys marked as non-exportable still have decrypt and sign APIs. Certificates in Key Vault without an exportable key seem like bricks. Is there anything useful that can be done with these certificates?
答案1
得分: 1
你可以使用公钥的唯一有用方式是验证你收到的令牌或数据。另一种方法是将数据发送到AKV并由其进行签名/加密。你也可以使用公钥来签署数据,但接收方必须拥有公钥来验证签名。
确实很让人不爽的是,当你将其下载为证书时,你无法同时获取两者。
英文:
The only useful thing you can do with the public key is to verify tokens or data that you have received. The alternative it to send data to AKV and have it signed/encrypt in for you. You can also use the public key to sign data, but then the receiver must have the public key to verify the signature.
It sure is annoying that you can't get both from when you download it as a certificate.
答案2
得分: 1
如果您下载与证书相同名称和版本生成的密钥,您也可以获取私钥。它应该在您可以下载的PFX文件中。但是它将没有密码(不是您在导入期间使用的原始密码)。
英文:
If you download the secret that is generated with the same name and version as the certificate, you can get the private key as well. It should be in the PFX you can download. It will have an empty password though (so not the original you have used during import).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论