KeyVault Merge Certificate (BadParameter) ASN1 bad tag value met

[funkbunker]

Hi,

When Generating a certificate signed by an unknown CA, I am hitting the error "(BadParameter) ASN1 bad tag value met" when trying to merge the certificate back at the end.

My certificate is PEM format it looks a bit like this:

-----BEGIN CERTIFICATE-----
MIIC1zCCAb8CCQDr9JUJilWejDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
...snip...
l5nLmYRSHKC6obU=
-----END CERTIFICATE-----

Im giving it a bit of sanitization using the following:

cert1 = cert.split('-----\n')
cert2 = cert1[1].split('\n-----')
cert3 = cert2[0].split('\n')
cert4 = ''.join(cert3)
certlist = []
certlist.append(cert4.encode())

Out the end of this my certlist looks a bit like this:

[b'MIIC1zCCAb8CCQDr9JUJilWe......snip.....YRSHKC6obU=']

The reason I have gone for this is in the code: https://github.com/Azure/azure-sdk-for-python/blob/master/azure-keyvault/azure/keyvault/key_vault_client.py

The Type of type of x509_certificates is list[bytearray]. However when I fire this at my keyvault using:

key_vault_client.merge_certificate(KEY_VAULT_URI, certname, certlist)

I get this back:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/site-packages/azure/keyvault/key_vault_client.py", line 3823, in merge_certificate
    raise models.KeyVaultErrorException(self._deserialize, response)
azure.keyvault.models.key_vault_error.KeyVaultErrorException: (BadParameter) ASN1 bad tag value met. (Exception from HRESULT: 0x8009310B)

I have tried to submit the merge via the portal and all is ok, after trying via the python SDK. And I think that the list of bytearray above is correct as if I try to submit a certificate for another csr/key I get an expected:

(BadParameter) Public key from x509 certificate and key of this instance doesn't match

I haven't had much joy on google or stack overflow, everything about "ASN1 bad tag value met" seems to be quite old and about certificates in IIS.

Please let me know if you need any further information.

Thanks

Daniel

[lmazuel]

@schaabs ?

[mccoyp]

Hi @funkbunker, thank you for opening this issue! It's been a while since this was opened, and in the meantime we've released new Key Vault SDK packages, so the merge_certificate API now lives in azure-keyvault-certificates. We don't have a sample for merge_certificate at this time, but we do have a targeted test for the method that can be found here.

If possible, I would encourage you to try out the new package and open a new issue if there are any problems. Even if you can't do so at this time but are still seeing this error, please feel free to let us know! I'll close this issue in the meantime.