Certificate 获得；“错误请求”；错误或；“未注册ProviderFound”；将密钥保管库证书（自签名）部署到Web应用程序时_Certificate_Azure Web App Service_Azure Keyvault

Certificate 获得；“错误请求”；错误或；“未注册ProviderFound”；将密钥保管库证书（自签名）部署到Web应用程序时

certificate

Certificate 获得；“错误请求”；错误或；“未注册ProviderFound”；将密钥保管库证书（自签名）部署到Web应用程序时,certificate,azure-web-app-service,azure-keyvault,Certificate,Azure Web App Service,Azure Keyvault,创建密钥库&通过执行powershell命令向RP服务主体（在AzureAD注册的应用程序）提供授权。主要保险库详情如下： Vault Name : MyKeyVaultTest 资源ID:/subscriptions/******-******-*********-*********-********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest 访问策略：租户ID:d29bcd1

创建密钥库&通过执行powershell命令向RP服务主体（在AzureAD注册的应用程序）提供授权。主要保险库详情如下：

Vault Name : MyKeyVaultTest

资源ID:/subscriptions/******-******-*********-*********-********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest 访问策略：租户ID:d29bcd12-3280-4f37-b8f2-6e9e2f581472 对象ID:daccd2fd-835a-4c03-8336-c5fcf481f3cc 应用程序ID:172f36fc-a098-47a1-9c83-04016d3e9781 密钥权限：获取、列出、更新、创建、导入、删除、恢复、备份、还原、解密、加密、解包裹密钥、WrapKey、验证、签名、清除机密权限：获取、列出、设置、删除、恢复、备份、恢复、清除证书权限：获取、列出、更新、创建、导入、删除、ManageContacts、ManageIssuers、GetIssuers、ListIssuers、SetIssuers、DeleteIssuers 对（密钥保管库管理的）存储的权限：

使用下面提到的Power Shell脚本创建了自签名证书-

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname XXXXXXXtechmahindra.onmicrosoft.com
$pwd = ConvertTo-SecureString -String ‘XXXXXX@1234@’ -Force -AsPlainText
$path = 'cert:\localmachine\my\' + $cert.thumbprint 
Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd

向密钥库添加了相同的证书，并获得了名为“MyKeyVault TestWebAppPK”的密钥，其内容类型为“application/x-pkcs12”

然后启用ARM客户端并执行下面提到的脚本，将密钥保险库证书部署到名为“MyKeyVault TestWebApp”的Web应用程序中，该Web应用程序给出了错误。下面给出了脚本和错误-

1. Script without changing the API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

2. Script with the Serverfarm’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-09-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'SouthCentralUS' and API version '2016-09-01' for type 'certificates'.


3. Script with the Key-Vault’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2015-06-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

[N.B:引用了用于实施更改的“”。

根据您的错误消息，我猜您可能无法启用“Microsoft.Web”资源提供商直接访问azure密钥库

因此，您将面临可能有足够权限访问密钥库的错误

我建议您可以按照下面的powershell代码启用权限

然后您可以在azure web app中设置证书

代码如下：

Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID 
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

然后，您可以调用以下代码来添加证书：

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

结果:

根据您的错误消息，我猜您可能无法启用“Microsoft.Web”资源提供程序直接访问azure密钥库

因此，您将面临可能有足够权限访问密钥库的错误

我建议您可以按照下面的powershell代码启用权限

然后您可以在azure web app中设置证书

代码如下：

Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID 
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

然后，您可以调用以下代码来添加证书：

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

结果:

我尝试过，但仍然得到相同的错误…PS C:\Windows\system32>$servicePrincipal=New AzureRmADServicePrincipal-ApplicationId 172f36fc-a098-47a1-9c83-04016d3e9781 PS C:\Windows\system32>设置AzureRmKeyVaultAccessPolicy-VaultName MyKeyVaultTest-ObjectId$servicePrincipal.Id-PermissionsToKeys all-PermissionsToSecrets所有警告NG：“all”权限已被弃用，不包括“purge”权限。必须明确设置“purge”权限。PS C:\Windows\system32>$ServicePrincipal.ApplicationId#输出ServicePrincipalName/AppPrincipalIdDon不要更改我的PS代码，ServicePrincipalName abfa0a7c-a6b6-4736-8310-58555087CD表示azure web app ser副作用。请复制我的代码（只需更改keyvault名称）然后再试一次。我已经尝试过了，但仍然得到相同的错误…PS C:\Windows\system32>$servicePrincipal=New AzureRmADServicePrincipal-ApplicationId 172f36fc-a098-47a1-9c83-04016d3e9781 PS C:\Windows\system32>设置AzureRmKeyVaultAccessPolicy-VaultName MyKeyVaultTest-ObjectId$servicePrincipal.Id-PermissionsTokeyStoSecrets all警告：“all”权限已被弃用，不包括“purge”权限。必须明确设置“purge”权限。PS C:\Windows\system32>$ServicePrincipal.ApplicationId#输出ServicePrincipalName/AppPrincipalIdDon不要更改我的PS代码，ServicePrincipalName abfa0a7c-a6b6-4736-8310-58555087CD表示azure web应用程序服务。请复制我的代码（只需更改keyvault名称），然后重试。