I'm working to migrate a Cloud Service (Classic) service to Extended Support that has several .cer certificates (without a private key) registered in the .csdef file. We usually create the Cloud Service (Classic) instance and then add the certificates to the instance using PowerShell.
In CS ES certificates need to be managed in Key Vault. However, Key Vault does not support importing .cer certificates (without a private key).
When testing the migration process from the Azure portal, these certificates are transferred to Key Vault as secrets. Decoding the secret value, they appear to be JSON which contains a 'data' field and 'password' field. Creating a file from the 'data' field value and giving it a .pfx extension, I can import the certificate locally and I'm prompted for a password. The certificate shows up without a private key in my user certificate store.
What is the right way to set up .cer certificates for use with the CS ES service? This is outside of migration, since we need to stand up new environments using automation going forward.
What is the process that the migration has used to transfer these certificates?