question

MichalOrac-4941 avatar image
0 Votes"
MichalOrac-4941 asked MarileeTurscak-MSFT edited

Key Vault virtual machine extension for Linux - how to delete previous PEM file

Hi,
I have successfully installed the Key Vault virtual machine extension for Linux on Ubuntu 18.04 (Azure VM).
The certificate from KeyVault is imported in the default store /var/lib/waagent/Microsoft.Azure.KeyVault in PEM format.

How do I ensure that after importing a new version of the certificate, only the current one remains in the store and the old (invalid) is deleted?

This is the current state:
adminmox2@VM2:/var/lib/waagent/Microsoft.Azure.KeyVault$ ls
michalcpqtestwekv1.TestAcme
michalcpqtestwekv1.TestAcme.9c312a9e003b4df8a3a7881b5b149a6c.1651038865.1658814864.PEM
michalcpqtestwekv1.TestAcme.e1d6acf454d6474dab68dfb455e1b048.1650965285.1658741284.PEM

Thank you



azure-key-vault
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image MarileeTurscak-MSFT ·

Hi @MichalOrac-4941,

Have you deleted the actual certificate files as described here?


0 Votes 0 ·
MichalOrac-4941 avatar image MichalOrac-4941 MarileeTurscak-MSFT ·

Hi, @MarileeTurscak-MSFT

if I delete them manually, only the last valid certificate is copied again to the Linux cert store - this is ok.

I'm solving this "challenge" because I want to use acme-bot, which renew every 3 months an SSL cert and store in to keyvault.
From key vault I sync SSL into Linux VM.
Renewed SSL (reissued) I will use in app.js.

0 Votes 0 ·

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

Hi @MichalOrac-4941,

With Key Vault certificates you cannot just delete a specific version. You cannot do this for any object because Key Vault doesn't care if it is a certificate, key, or secret. If you delete a certificate it deletes it entirely and there is no workaround that I am aware of. Now when you create a new version of any object in Key Vault, the old one is still there but is invalid and no longer used. In your case the certificate versions have a thumbprint which designates them the current version and the certification will not be able to be used unless you download the version with the thumbprint.

![198958-image.png
][1]

Let me know if this helps.


If this answer was helpful, please consider marking as answer so that others in the community with similar searches can more easily find a solution.



image.png (168.7 KiB)
image.png (168.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.