upload .pfx certificate through azure devops pipeline

Question

I want to upload .pfx certificate for my app service through azure devops task. can some one please help me on how to upload certificate through ARM Template

Answer 1

You can follow below steps to upload certificate with ARM.

1,Go to the secure files under Pipelines, Library and upload your certificate.

2, Add a download secure file task to download your certificate to your pipeline. you can reference to it by the path $(<mySecureFile>.secureFilePath) or $(Agent.TempDirectory). Check here for more information about predefined variables

3, add a powershell task to run below scripts to transform your certificate to base64 string. And store it to a self-defined environment variable certificateBase64Content. Check here to learn more about variables

$secName = “<certificateName>.pfx
$tempDirectory = $env:AGENT_TEMPDIRECTORY

$pfxFilePath = Join-Path $tempDirectory $secName

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable

$cert.Import($pfxFilePath, "$(certificatePassword)", $flag)

$bin = $cert.RawData
$base64Value = [System.Convert]::ToBase64String($bin)

Write-Host "##vso[task.setvariable variable=certificateBase64Content;]$base64Value"

4,create a keyvault and grand the Microsoft.Web resource provider access to the KeyVault to get the certificate, which will be stored in the keyvault.

Please check blog "Create the KeyVault with the required settings" part for ARM template example.

5, Store the certificate in the keyvault created in above step.

Please check blog Store the certificate in KeyVault part for ARM template example.

6, Refer to the last step of the blog Deploy the certificate to your Web App to deploy your certificate.

Reminder:

In above blog, the parameters defined in ARM template are override in the Azure resource group deployment task. You can configure this under the Template setting in the azure resource group deployment task

Addition:

If you donot want to use keyvault. You can omit above step 4,and 5. And directly upload the cretificate after your cerficate being transformed and stored in the self-defined variable in above step 3. You need to replace parameters('certificatePfxBase64') with your self-defined variable certificateBase64Content

"variables": {
    "certificateName": "[concat(parameters('certificatePrefixName'), uniqueString(resourceGroup().id))]"
  },
"resources": [
    {
      "apiVersion": "2015-08-01",
      "name": "[variables('certificateName')]",
      "type": "Microsoft.Web/certificates",
      "location": "[resourceGroup().location]",
      "properties": {
        "pfxBlob": "[parameters('certificatePfxBase64')]",
        "password": "[parameters('certificatePfxPassword')]"
      },
      "tags": {
        "displayName": "Certificate"
      }
    }
  ]