Thursday, January 12, 2023

Retrieve older versions of Azure Key Vault Secrets with CLI

You can maintain multiple versions for secrets in Azure Key Vault. You can store up to 500 versions!

Versions can be useful when you rotate your secret, but some systems may still require the previous key. Instead of creating a new secret, you can point to the previous version of the key to facilitate that system.

Furthermore, key versioning is a nice way to organize secrets. Rather than creating new secrets every time, it's a good way to maintain different versions per use case (may not be suitable for some cases!). 

For an example you can create a secret called ConnectionString and maintain different versions for each environment. Then you can properly organize it using tags





















Following is an easy way to get all versions of a specific secret in your Key Vault and then select a specific version with Azure CLI

1. List all versions
az keyvault secret list-versions 
--name ConnectionString 
--vault-name dinushavault | ConvertFrom-Json | Select-Object id





2. Select a specific secret version
az keyvault secret show 
--id https://dinushavault.vault.azure.net/secrets/ConnectionString/f647afaf87fe4397933d70fb1fefb1fc



Tuesday, January 10, 2023

How to generate a self-signed code signing certificate

A Code Signing Certificate is a digital certificate that is used to verify the identity of the software publisher and to ensure the integrity of the software code. The certificate is used to sign the software code, providing a cryptographic signature that confirms the code has not been tampered with or altered in any way.

You can ensure that the component you are installing comes from a trusted source.

Code Signing Certificates work by using public key cryptography. When a software publisher signs their code, they use their private key to create a digital signature. This digital signature is then embedded in the code, along with the public key of the software publisher.

Following is the PowerShell script to generate self-signed code signing certificate

$cert = New-SelfSignedCertificate 
	-Type CodeSigningCert 
	-certstorelocation cert:\localmachine\my 
	-dnsname Test.LOCAL 
	-NotAfter "03/12/2035" 
	-FriendlyName "Test.LOCAL" 
$pwd = ConvertTo-SecureString -String ‘’ -Force -AsPlainText
$path = 'cert:\localMachine\my\' + $cert.thumbprint 
Export-PfxCertificate -cert $path -FilePath C:\Code\Cert\Test.LOCAL.pfx -Password $pwd

When a user downloads and installs the software, the operating system checks the digital signature against the public key of the software publisher to verify the authenticity of the software. If the signature is valid, the operating system will allow the software to run. If the signature is not valid, the operating system will warn the user that the software may be malicious and should not be installed.

Following is a sample error message you might get