including certificate policy with options when writing to KeyVault.

Author: joevanwanzeeleKF

AzureKeyVault/AzureClient.cs

@@ -199,7 +199,7 @@ public virtual async Task<KeyVaultResource> CreateVault()
             }
         }
 
-        public virtual async Task<KeyVaultCertificateWithPolicy> ImportCertificateAsync(string certName, string contents, string pfxPassword, Dictionary<string,string> tags, bool nonExportable)
+        public virtual async Task<KeyVaultCertificateWithPolicy> ImportCertificateAsync(string certName, string contents, string pfxPassword, Dictionary<string, string> tags, bool nonExportable)
         {
             try
             {
@@ -221,7 +221,7 @@ public virtual async Task<KeyVaultCertificateWithPolicy> ImportCertificateAsync(
                 logger.LogTrace($"calling ImportCertificateAsync on the KeyVault certificate client to import certificate {certName}");
 
                 var options = new ImportCertificateOptions(certName, p12bytes);
-                options.Policy.Exportable = nonExportable;
+                options.Policy = new CertificatePolicy { Exportable = !nonExportable, ContentType = CertificateContentType.Pkcs12 };
 
                 if (tags.Any())
                 {
@@ -389,7 +389,7 @@ public virtual (List<string>, List<string>) GetVaults()
                 var warning = $"Exception thrown performing discovery on tenantId {searchTenantId} and subscription ID {searchSubscription}.  Exception message: {ex.Message}";
 
                 logger.LogWarning(warning);
-                warnings.Add(warning);                
+                warnings.Add(warning);
             }
 
             return (vaultNames, warnings);

AzureKeyVault/Jobs/Management.cs

@@ -17,7 +17,6 @@
 using Keyfactor.Orchestrators.Extensions.Interfaces;
 using System.Collections.Generic;
 using Newtonsoft.Json;
-using System.Security.AccessControl;
 
 namespace Keyfactor.Extensions.Orchestrator.AzureKeyVault
 {
@@ -140,16 +139,16 @@ protected virtual JobResult PerformAddition(string alias, string pfxPassword, st
                     if (existing != null)
                     {
                         logger.LogTrace($"there is an existing cert..");
-                    }
 
-                    existingTags = existing?.Properties.Tags as Dictionary<string, string> ?? new Dictionary<string, string>();
+                        existingTags = existing?.Properties.Tags as Dictionary<string, string> ?? new Dictionary<string, string>();
 
-                    logger.LogTrace("existing cert tags: ");
-                    if (!existingTags.Any()) logger.LogTrace("(none)");
+                        logger.LogTrace("existing cert tags: ");
+                        if (!existingTags.Any()) logger.LogTrace("(none)");
 
-                    foreach (var tag in existingTags)
-                    {
-                        logger.LogTrace(tag.Key + " : " + tag.Value);
+                        foreach (var tag in existingTags)
+                        {
+                            logger.LogTrace(tag.Key + " : " + tag.Value);
+                        }
                     }
 
                     // if overwrite is unchecked, check for an existing cert first

integration-manifest.json

@@ -49,8 +49,8 @@
             },
             {
               "Name": "NonExportable",
-              "DisplayName": "Non Exportable",
-              "Description": "If true, this will mark the certificate as 'non-exportable' when importing into Azure KeyVault",
+              "DisplayName": "Non Exportable Private Key",
+              "Description": "If true, this will mark the certificate as having a non-exportable private key when importing into Azure KeyVault",
               "Type": "Bool",
               "DefaultValue": "False",
               "RequiredWhen": {