Using the generated Certificate for Azure Domain Services Secure LDAP

[lonniev]

Having successfully installed, configured, and used the Keyvault Acmebot to generate a server-side TLS certificate, I would now like to have Azure Active Domain Service import that certificate for the Secure LDAP endpoint.

I have configured AADS SLDAP on my own for self-signed certs where I controlled the password used to encrypt the PFX file.

Here, though, it is Acmebot that created the certificate and it is Key Vault that exports it.

If any PFX encryption password was used, where is that stored and how do I retrieve it?

Is there a way to get AADS to directly load a PFX cert from a Key Vault without having to export to a PFX and reload it?

[lonniev]

Answer myself.

The certificate that gets stored in Azure Key Vault is downloaded from Azure as a PFX without an encryption passphrase. (The dialog in Azure warns this before it does so.)

So one ends up with a PFX without a password and Azure Active Directory Domain Services wants a password-protected PFX

To generate a password-protected PFX from a non-password-protected one, openssl can be used.

openssl pkcs12 -in kv-acmebot-name.pfx -nocerts -out acmebot.key
openssl pkcs12 -in kv-acmebot-name.pfx -clcerts -nokeys -out acmebot.cer
openssl pkcs12 -export -out acmebot.pfx -inkey acmebot.key -in acmebot.cer

You will get asked along the way for the necessary pass phrases.

The final PFX file will have the same certs and keys as before but will now be encrypted. (Can it be done in a single step? I don't know; haven't tried it.)

[Prunkton]

as an addition for a similar problem since it helped me:
if you just want to add a password and leave everything else untouched (like PEM), try this:

openssl pkcs12 -in cert.pfx -out temp.pem -nodes
openssl pkcs12 -export -out cert.pfx -in temp.pem

src: https://tothecloud.dev/add-passphrase-to-pfx/