Skip to content

Get-AzKeyVaultCertificate missing -AsPlainText switch and how to export with private key #27638

New issue
New issue
Closed
Closed
Get-AzKeyVaultCertificate missing -AsPlainText switch and how to export with private key#27638
Labels
KeyVaultcustomer-reportedneeds-author-feedbackMore information is needed from author to address the issue.no-recent-activityThere has been no recent activity on this issue.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@antonGritsenko

Description

@antonGritsenko
antonGritsenko
opened on Apr 24, 2025

Description

I have clean installation of the Az.KeyVault module, so it most up-to-date.
According to the docs there is sample:

$CertBase64 = Get-AzKeyVaultSecret -VaultName $vaultName -Name $certName -AsPlainText
$CertBytes = [Convert]::FromBase64String($CertBase64)
Set-Content -Path cert.pfx -Value $CertBytes -AsByteStream

But if you will try to execute it as it, you will get error:

Get-AzKeyVaultCertificate: A parameter cannot be found that matches parameter name 'AsPlainText'.

This leads to the main issue: there is no way to download certificate with the private key. This is required in case when you need to use certificate for authentication against EntraID as example. Can you please make Get-AzKeyVaultCertificate stable at the end? It's really the pain to have it broken from version to version.

PS. Please NO mentioning about "security concept" and all this bla-bla-bla security talks! Private key can be exported by the REST API, so why not to have it in cmdlets? Sample:

$keyVaultUri = new-object Uri("https://$keyVault.vault.azure.net/");
    $client = new-object Azure.Security.KeyVault.Certificates.CertificateClient($keyVaultUri, (new-object Azure.Identity.AzurePowerShellCredential));
    $opts = new-object Azure.Security.KeyVault.Certificates.DownloadCertificateOptions($certName)
    $opts.KeyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::EphemeralKeySet
    $cert = $client.DownloadCertificate($opts)

Issue script & Debug output

$CertBase64 = Get-AzKeyVaultSecret -VaultName $vaultName -Name $certName -AsPlainText
$CertBytes = [Convert]::FromBase64String($CertBase64)
Set-Content -Path cert.pfx -Value $CertBytes -AsByteStream



Get-AzKeyVaultCertificate: A parameter cannot be found that matches parameter name 'AsPlainText'.

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.0
PSEdition                      Core
GitCommitId                    7.5.0
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Name        Version
----        -------
Az.Accounts 4.1.0
Az.KeyVault 6.3.1

Error output

Metadata
Metadata
Assignees
No one assigned
    Labels
    KeyVaultcustomer-reportedneeds-author-feedbackMore information is needed from author to address the issue.no-recent-activityThere has been no recent activity on this issue.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions