keyvault certificate import api doesn't work when password has special character

[vany0114]

Describe the bug
When I try to import a certificate with special characters inside the password it generates this error:

'%9H' is not recognized as an internal or external command,
operable program or batch file.

To Reproduce
Try to import a certificate with this password: Q1$VGcjv&%8H

az keyvault certificate import --vault-name 'my-vault' -n 'myCert' -f "C:\myCert.pfx" --password 'Q1$VGcjv&%8H'

Expected behavior
It should import the certificate since it is completely valid.

Environment summary
CLI version: azure-cli (2.0.24)
OS version: Windows 10 Enterprise
Shell Type: bash | cmd.exe | Bash on Windows

Additional context
I tried to import the same certificate thru the Azure Portal, but I'm getting this error:

Format of Pkcs12 value is invalid

So I decided to try with Powershell, then I got the same error, so I guess the Azure portal use the same script.

$Password = ConvertTo-SecureString -String 'Q1$VGcjv&%8H' -AsPlainText -Force
Import-AzureKeyVaultCertificate -VaultName 'my-vault'' -Name 'myCert' -FilePath 'C:\myCert.pfx' -Password $Password

Then I tried with Azure CLI and I get the mentioned error. My workaround was to import it as a secret using the Set-AzureKeyVaultSecret api, but it should import the certificate as a key vault certificate because the pfx and passwrods are completely valid.

[tjprescott]

What shell are you running the CLI command from? I suspect it is Powershell based on the error, and if that's the case, there is nothing we can do about this because the splitting on & occurs before your command ever reaches the CLI.

[vany0114]

Sorry, not sure what you mean, but I'm running the CLI command directly from my pc thru the cmd.

[tjprescott]

Thanks for the clarification @vany0114. For CMD, only ever wrap strings in double quotes. If you run your command with --debug, you will see, for example, that -n 'myCert' is interpreted as name = 'myCert' not myCert. If you provide your password in double quotes you will not get that unrecognized command error.

[vany0114]

@tjprescott I tried with double quotes too and didn't work :(
Actually, for vault-name and name parameters, I didn't use quotes at all. (sorry my bad, writing the example)

[tjprescott]

With double quotes, do you get the Format of Pkcs12 value is invalid error?

[vany0114]

With double quotes I get:

'%9H' is not recognized as an internal or external command,
operable program or batch file.

[tjprescott]

https://stackoverflow.com/questions/1327431/how-do-i-escape-ampersands-in-batch-files/1327476#1327476

Use ^ to escape the & character.

[vany0114]

With double quotes, do you get the Format of Pkcs12 value is invalid error?

Sorry @tjprescott, indeed I get that error. When you asked I tested out in PS rather than cmd.

I've tried with ^ and didn't get errors, but it does nothing. I checked my Keyvault but there's nothing there, tho.

[tjprescott]

Thanks @vany0114, I was trying to separate the quoting issue with the service issue. The KeyVault team will need to address why your certificate does not work. Since you can't upload it with the CLI, PS or portal, it implies there is something questionable in the service.

Also, I noticed you are using CLI 2.0.24, which is well over a year old. You might try updating your CLI and see if that resolves the problem.

[vany0114]

I updated the CLI to the latest version (2.0.60) and still getting that error.

However, scaping the & I get this new error:

[LinoRS]

Hi guys, yeah also have run into this recently and the only workaround was to change the password for the PFX to not use any special characters ;-)... tested with PS and Azure Gui

[nshenoy]

I just ran into this today. My certificate password has a ? in it. When trying to import via the Azure portal, the error I get is Pkcs12 value is invalid.. When trying to use the azure-cli (version 2.0.67), I get We could not parse the provided certificate as .pem or .pfx. Please verify the certificate with OpenSSL.. I also tried to escape the ? with ^? and same error.

[LinoRS]

I just ran into this today. My certificate password has a ? in it. When trying to import via the Azure portal, the error I get is Pkcs12 value is invalid.. When trying to use the azure-cli (version 2.0.67), I get We could not parse the provided certificate as .pem or .pfx. Please verify the certificate with OpenSSL.. I also tried to escape the ? with ^? and same error.

Yeah, you will need to export it again with MMC-snapin-cert and then make sure the password has no special characters in it, and then attempt the import into Azure it will work... ;-)

[jiasli]

Similar to #11003 (comment)

@vany0114, please check the solution and let us know if you can get unblocked.