{"id":12158,"date":"2026-04-12T19:57:00","date_gmt":"2026-04-13T00:57:00","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=12158"},"modified":"2026-05-21T15:09:59","modified_gmt":"2026-05-21T20:09:59","slug":"venafi-trust-protect-and-azure-key-vault-integration","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=12158","title":{"rendered":"Azure Key Vault Integration with Azure Pipelines"},"content":{"rendered":"<p>This document assumes:<\/p>\n<p>Azure CLI is installed (<a href=\"https:\/\/learn.microsoft.com\/en-us\/cli\/azure\/install-azure-cli-linux\">https:\/\/learn.microsoft.com\/en-us\/cli\/azure\/install-azure-cli-linux<\/a>)<\/p>\n<p>You already have an agent pool with online agent in a deployment pool<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1919\" height=\"911\" class=\"wp-image-12180\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22.png 1919w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-300x142.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-1024x486.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-768x365.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-1536x729.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-22-750x356.png 750w\" sizes=\"auto, (max-width: 1919px) 100vw, 1919px\" \/><\/p>\n<p>And, finally, that you have a pipeline deployment that uses a static keystore. We will be replacing that static keystore file with one obtained from the Azure Key Vault.<\/p>\n<p>First, ensure the <strong>Azure DevOps service connection<\/strong> used by the pipeline has access to LJRVenafiTestKeyVault with at least:<\/p>\n<ul>\n<li><strong>Secrets<\/strong>: Get, List<\/li>\n<\/ul>\n<p>From the Azure command line, e.g.<\/p>\n<p>az role assignment create &#8211;assignee-object-id 107d2d9a-4d1b-4d8b-9cd6-0f95587eb9ae &#8211;assignee-principal-type ServicePrincipal &#8211;role &#8220;Key Vault Secrets User&#8221; &#8211;scope &#8220;\/subscriptions\/dede429d-a340-4e90-8f76-05aa5280a1f5\/resourceGroups\/ljr-keyvault-demo\/providers\/Microsoft.KeyVault\/vaults\/LJRVenafiTestKeyVault&#8221;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1619\" height=\"451\" class=\"wp-image-12181\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23.png 1619w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-300x84.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-1024x285.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-768x214.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-1536x428.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-23-750x209.png 750w\" sizes=\"auto, (max-width: 1619px) 100vw, 1619px\" \/><\/p>\n<p>If you do not know which service connection is being used, update and run the pipeline. It will fail with a permission error, but the service connection\u2019s usage history will reflect the release pipeline\u2019s use:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1918\" height=\"857\" class=\"wp-image-12182\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24.png 1918w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-300x134.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-1024x458.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-768x343.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-1536x686.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-24-750x335.png 750w\" sizes=\"auto, (max-width: 1918px) 100vw, 1918px\" \/><\/p>\n<p>Update your pipeline to retrieve the certificate from the Azure KeyVault. Add an Azure CLI task using an inline script<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1917\" height=\"901\" class=\"wp-image-12183\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25.png 1917w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-300x141.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-1024x481.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-768x361.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-1536x722.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-25-750x353.png 750w\" sizes=\"auto, (max-width: 1917px) 100vw, 1917px\" \/><\/p>\n<p>set -euo pipefail<\/p>\n<p>PFX_FILE=&#8221;$AGENT_TEMPDIRECTORY\/VenafiDeployedCertificate.pfx&#8221;<\/p>\n<p>az keyvault secret download \\<\/p>\n<p>&#8211;vault-name LJRVenafiTestKeyVault \\<\/p>\n<p>&#8211;name VenafiDeployedCertificate \\<\/p>\n<p>&#8211;file &#8220;$PFX_FILE&#8221; \\<\/p>\n<p>&#8211;encoding base64<\/p>\n<p>echo &#8220;Downloaded PFX to $PFX_FILE&#8221;<\/p>\n<p>echo &#8220;##vso[task.setvariable variable=PFX_PATH]$PFX_FILE&#8221;<\/p>\n<p>If you need a JKS file, add an additional bash task with an inline script<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1919\" height=\"892\" class=\"wp-image-12184\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26.png 1919w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-300x139.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-1024x476.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-768x357.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-1536x714.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-26-750x349.png 750w\" sizes=\"auto, (max-width: 1919px) 100vw, 1919px\" \/><\/p>\n<p>set -euo pipefail<\/p>\n<p>JKS_FILE=&#8221;$AGENT_TEMPDIRECTORY\/VenafiDeployedCertificate.jks&#8221;<\/p>\n<p># Verify keytool exists<\/p>\n<p>command -v keytool &gt;\/dev\/null 2&gt;&amp;1 || { echo &#8220;keytool not found on agent&#8221;; exit 1; }<\/p>\n<p>keytool -importkeystore \\<\/p>\n<p>-srckeystore &#8220;$(PFX_PATH)&#8221; \\<\/p>\n<p>-srcstoretype PKCS12 \\<\/p>\n<p>-srcstorepass &#8220;&#8221; \\<\/p>\n<p>-destkeystore &#8220;$JKS_FILE&#8221; \\<\/p>\n<p>-deststoretype JKS \\<\/p>\n<p>-deststorepass &#8220;$(JksPassword)&#8221; \\<\/p>\n<p>-destkeypass &#8220;$(JksPassword)&#8221; \\<\/p>\n<p>-noprompt<\/p>\n<p>echo &#8220;Created JKS at $JKS_FILE&#8221;<\/p>\n<p>echo &#8220;##vso[task.setvariable variable=JKS_PATH]$JKS_FILE&#8221;<\/p>\n<p>Add a pipeline variable for the JKS Password \u2013 make sure to click the lock icon to protect the password<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1916\" height=\"407\" class=\"wp-image-12185\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27.png 1916w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-300x64.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-1024x218.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-768x163.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-1536x326.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-27-750x159.png 750w\" sizes=\"auto, (max-width: 1916px) 100vw, 1916px\" \/><\/p>\n<p>And, finally, add a bash task task to copy the JKS or PFX file to the proper place on the server<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1915\" height=\"660\" class=\"wp-image-12186\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28.png 1915w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-300x103.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-1024x353.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-768x265.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-1536x529.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-28-750x258.png 750w\" sizes=\"auto, (max-width: 1915px) 100vw, 1915px\" \/><\/p>\n<p>set -euo pipefail<\/p>\n<p># Copy JKS to location on server used in app config<\/p>\n<p>TARGET_DIR=&#8221;\/opt\/credential-injection\/certs&#8221;<\/p>\n<p>TARGET_JKS=&#8221;$TARGET_DIR\/VenafiDeployedCertificate.jks&#8221;<\/p>\n<p>cp &#8220;$(JKS_PATH)&#8221; &#8220;$TARGET_JKS&#8221;<\/p>\n<p>chmod 600 &#8220;$TARGET_JKS&#8221;<\/p>\n<p>echo &#8220;JKS copied to $TARGET_JKS&#8221;<\/p>\n<p># Or copy pfx to location on server used in app config<\/p>\n<p>TARGET_PFX=&#8221;$TARGET_DIR\/VenafiDeployedCertificate.pfx&#8221;<\/p>\n<p>cp &#8220;$(PFX_PATH)&#8221; &#8220;$TARGET_PFX&#8221;<\/p>\n<p>chmod 600 &#8220;$TARGET_PFX&#8221;<\/p>\n<p>Create a release to run the pipeline. Looking at the logs, you should see a confirmation that the pfx file was created<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1568\" height=\"905\" class=\"wp-image-12187\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29.png 1568w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-300x173.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-1024x591.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-768x443.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-1536x887.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-29-750x433.png 750w\" sizes=\"auto, (max-width: 1568px) 100vw, 1568px\" \/><\/p>\n<p>And, if you are creating a JKS file, a confirmation that it was created as well<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1554\" height=\"525\" class=\"wp-image-12188\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30.png 1554w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-300x101.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-1024x346.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-768x259.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-1536x519.png 1536w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-30-750x253.png 750w\" sizes=\"auto, (max-width: 1554px) 100vw, 1554px\" \/><\/p>\n<p>You should also see the certificate file(s) on the server:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1146\" height=\"123\" class=\"wp-image-12189\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31.png 1146w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-300x32.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-1024x110.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-768x82.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/word-image-12158-31-750x80.png 750w\" sizes=\"auto, (max-width: 1146px) 100vw, 1146px\" \/><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This document assumes: Azure CLI is installed (https:\/\/learn.microsoft.com\/en-us\/cli\/azure\/install-azure-cli-linux) You already have an agent pool with online agent in a deployment pool And, finally, that you have a pipeline deployment that uses a static keystore. We will be replacing that static keystore file with one obtained from the Azure Key Vault. First, ensure the Azure DevOps &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1510,30],"tags":[2194,2193,2184,2192],"class_list":["post-12158","post","type-post","status-publish","format-standard","hentry","category-ado","category-system-administration","tag-certificate-automation","tag-certificate-management","tag-venafi","tag-venafi-tpp"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12158"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12158\/revisions"}],"predecessor-version":[{"id":12307,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12158\/revisions\/12307"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}