Azure APIM Standard V2 Custom Domain - RSA-HSM key stored in keyvault - private key issue

NNPP 20 Reputation points
2024-09-02T10:58:29.3533333+00:00

Issue:

APIM on Standard V2 SKU, custom domain, obtaining a RSA-HSM non-exportable private key cert stored in Key Vault results in error message about that cert not having a private key.

I cannot work out if RSA-HSM certs are not supported by the APIM to KV mechanism or, if its an Azure config reason.

The APIM via managed identity has permissions to the key vault via RBAC roles:

Key Vault Certificate User

Key Vault Certificates Officer

Key Vault Crypto Officer

Key Vault Secrets Officer

I realise that some of these roles are overlapping \ covered by a more privileged role, I was just trying to get all perms that might be needed.

It seems like although the private key is available to the Key Vault itself, the APIM cannot read it and therefore, use that cert.

EXACT ERROR IS:

Failed to update API Management service hostnames

Invalid parameter: Certificate '[redacted]' must have a Private Key.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,161 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. NNPP 20 Reputation points
    2024-09-03T11:33:28.0566667+00:00

    For anyone looking for this answer.

    I found that Azure APIM cannot use a certificate that is RSA-HSM backed stored as a cert in [premium] Azure Key Vault.

    In key Vault \ certificates, I generated new, creating a new CSR with defaults (size 2048 and RSA), and then used this CSR to get by CA provided cert.

    I completed the merge signing request for that cert, then selected this cert from APIM custom domain which then worked.

    Note your APIM via its managed identity can access the key vault with RBAC roles - so long as your NSG \ firewall permits the traffic.

    0 comments
  2. Akhilesh Vallamkonda 10,150 Reputation points Microsoft Vendor
    2024-09-05T19:06:15.1033333+00:00

    Hi @NNPP

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.Issue:

    Azure APIM Standard V2 Custom Domain - RSA-HSM key stored in keyvault - private key issue. The APIM cannot read it and therefore, use that cert. EXACT ERROR IS: Failed to update API Management service hostnames Invalid parameter: Certificate '[redacted]' must have a Private Key.

    Solution:

    In key Vault \ certificates, you generated new, creating a new CSR with defaults (size 2048 and RSA), and then used this CSR to get by CA provided cert. you completed the merge signing request for that cert, then selected this cert from APIM custom domain which then worked.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.