Export certificates from Azure Key Vault

Article
2025-04-14

Learn how to export certificates from Azure Key Vault. You can export certificates by using the Azure CLI, Azure PowerShell, or the Azure portal.

About Azure Key Vault certificates

Azure Key Vault allows you to easily provision, manage, and deploy digital certificates for your network. It also enables secure communications for applications. See Azure Key Vault certificates for more information.

Composition of a certificate

When a Key Vault certificate is created, an addressable key and secret are created that have the same name. The Key Vault key allows key operations. The Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata. Go to Composition of a certificate for more information.

Exportable and nonexportable keys

After a Key Vault certificate is created, you can retrieve it from the addressable secret with the private key. Retrieve the certificate in PFX or PEM format.

Exportable: The policy used to create the certificate indicates the key is exportable.
Non-exportable: The policy used to create the certificate indicates the key is nonexportable. In this case, the private key isn't part of the value when it is retrieved as a secret.

Supported keytypes: RSA, RSA-HSM, EC, EC-HSM, oct (listed here) Exportable is only allowed with RSA, EC. HSM keys would be nonexportable.

For or information, see About Azure Key Vault certificates for more information.

Export stored certificates

You can export stored certificates in Azure Key Vault by using the Azure CLI, Azure PowerShell, or the Azure portal.

Note

Only require a certificate password when you import the certificate in the key vault. Key Vault doesn't save the associated password. When you export the certificate, the password is blank.

Use the following command in the Azure CLI to download the public portion of a Key Vault certificate.

az keyvault certificate download --file
                                 [--encoding {DER, PEM}]
                                 [--id]
                                 [--name]
                                 [--subscription]
                                 [--vault-name]
                                 [--version]

View examples and parameter definitions for more information.

When you download as a certificate, you receive the public portion. If you want both the private key and public metadata, download it as secret.

az keyvault secret download --file {nameofcert.pfx}
                            [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                            [--id]
                            [--name]
                            [--subscription]
                            [--vault-name]
                            [--version]

For more information, see parameter definitions.

Use this command in Azure PowerShell to get the certificate named TestCert01 from the key vault named ContosoKV01. To download the certificate as a PFX file, run following command. These commands access SecretId, and then save the content as a PFX file.

$vaultName = '<YourVault>'
$certificateName = '<YourCert>'
$password = '<YourPwd>'

$pfxSecret = Get-AzKeyVaultSecret -VaultName $vaultName -Name $certificateName -AsPlainText
$certBytes = [Convert]::FromBase64String($pfxSecret)

# Write to a file
Set-Content -Path cert.pfx -Value $certBytes -AsByteStream

This command exports the entire chain of certificates with private key (that is, the same as it was imported). The certificate is password protected.

For more information on the Get-AzKeyVaultCertificate command and parameters, see Get-AzKeyVaultCertificate - Example 2.

Various certificate file types and definitions

Share via

Export certificates from Azure Key Vault

About Azure Key Vault certificates

Composition of a certificate

Exportable and nonexportable keys

Export stored certificates

Read more

Feedback

Additional resources