Unable to disable auto-renewal on a keyvault certificate policy

[RobB-OG]

Description

I am trying to remove the auto renewal from some of our certificates. If I try the below:

$KV = get-azkeyvault -VaultName <KVName>
$cert = $KV | Get-AzKeyVaultCertificate -Name "RBTest"
$cert | Set-AzKeyVaultCertificatePolicy -RenewAtNumberOfDaysBeforeExpiry $null -RenewAtPercentageLifetime $null

I get an error saying The argument is null, empty, or an element of the argument collection contains a null value.

If I try pulling down the current policy and setting it, as below, I get a request for the curve parameter, but then I get an error saying "Set-AzKeyVaultCertificatePolicy : Curve cannot be specified with RSA key type." if I try setting it

$KV = get-azkeyvault -VaultName <KVName>
$cert = $KV | Get-AzKeyVaultCertificate -Name "RBTest"
$policy = $cert | Get-AzKeyVaultCertificatePolicy

$policy.RenewAtNumberOfDaysBeforeExpiry = $null
$policy.RenewAtPercentageLifetime = $null
$policy.curve = "P-521"

$policy | Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname -Name $cert.Name

Issue script & Debug output

$KV = get-azkeyvault -VaultName <KVName>

$cert = $KV | Get-AzKeyVaultCertificate -Name "RBTest"

$policy = $cert | Get-AzKeyVaultCertificatePolicy

$policy.RenewAtNumberOfDaysBeforeExpiry = $null
$policy.RenewAtPercentageLifetime = $null
$policy.curve = "P-521"

$policy | Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname -Name $cert.Name

$cert | Set-AzKeyVaultCertificatePolicy -RenewAtNumberOfDaysBeforeExpiry $null -RenewAtPercentageLifetime $null

Environment data

PS C:\Users\RobBatley> $PSVersionTable

Name                           Value                                                                                                                                                                                                                             
----                           -----                                                                                                                                                                                                                             
PSVersion                      5.1.22621.3880                                                                                                                                                                                                                    
PSEdition                      Desktop                                                                                                                                                                                                                           
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                                           
BuildVersion                   10.0.22621.3880                                                                                                                                                                                                                   
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                                   
WSManStackVersion              3.0                                                                                                                                                                                                                               
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                               
SerializationVersion           1.1.0.1

Module versions

get-module az.keyvault

ModuleType Version    Name                                ExportedCommands                                                                                                                                                                                       
---------- -------    ----                                ----------------                                                                                                                                                                                       
Script     6.0.1      Az.KeyVault                         {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}

Error output

Message        : Curve cannot be specified with RSA key type.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultCertificatePolicy.ValidateKeyTypeAndCurve(String keyType, String curve)
                    at Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultCertificatePolicy.ValidateInternal(IList`1 dnsNames, IList`1 ekus, Nullable`1 renewAtNumberOfDaysBeforeExpiry, Nullable`1 renewAtPercentageLifetime, Nullable`1 
                 emailAtNumberOfDaysBeforeExpiry, Nullable`1 emailAtPercentageLifetime, String subjectName, String keyType, Int32 keySize, String curve)
                    at Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultCertificatePolicy.Validate()
                    at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultCertificatePolicy.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentException
InvocationInfo : {Set-AzKeyVaultCertificatePolicy}
Line           : $policy | Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname -Name $cert.Name
Position       : At line:12 char:11
                 + $policy | Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname  ...
                 +           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 18


Message        : Cannot validate argument on parameter 'RenewAtNumberOfDaysBeforeExpiry'. The argument is null, empty, or an element of the argument collection contains a null value. Supply a collection that does not contain any null values and then try 
                 the command again.
StackTrace     :    at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal argument, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32 parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32 parameterSets, Collection`1 arguments)
                    at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidation(Collection`1 arguments)
                    at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection`1 arguments)
                    at System.Management.Automation.CommandProcessor.BindCommandLineParameters()
                    at System.Management.Automation.CommandProcessor.Prepare(IDictionary psDefaultParameterValues)
                    at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary psDefaultParameterValues)
                    at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream)
                    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
                    at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext 
                 funcContext)
                    at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Exception      : System.Management.Automation.ParameterBindingValidationException
InvocationInfo : {Set-AzKeyVaultCertificatePolicy}
Line           : $cert | Set-AzKeyVaultCertificatePolicy -RenewAtNumberOfDaysBeforeExpiry $null
Position       : At line:1 char:74
                 + ... et-AzKeyVaultCertificatePolicy -RenewAtNumberOfDaysBeforeExpiry $null
                 +                                                                     ~~~~~
HistoryId      : 8

[BethanyZhou]

@RobB-OG, what if use the second way to disable auto-renewal without specifying $policy.curve = "P-521"?

[RobB-OG]

Hi,
Running the below returns an error:

$KV = get-azkeyvault -VaultName <KVName>
$cert = $KV | Get-AzKeyVaultCertificate -Name "RBTest"
$policy = $cert | Get-AzKeyVaultCertificatePolicy
$policy.RenewAtNumberOfDaysBeforeExpiry = $null
$policy.RenewAtPercentageLifetime = $null
$policy | Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname -Name $cert.Name

Set-AzKeyVaultCertificatePolicy : Cannot validate argument on parameter 'Curve'. The argument is null, empty, or an element of the argument collection contains a null value. Supply a collection that does not contain any null values and then try the command
again.

[BethanyZhou]

Hi @RobB-OG, do you mind sharing the result of $policy = $cert | Get-AzKeyVaultCertificatePolicy?

[RobB-OG]

Hi,

$cert | Get-AzKeyVaultCertificatePolicy


SecretContentType               : application/x-pkcs12
Kty                             : RSA
KeySize                         : 2048
Curve                           : 
Exportable                      : True
ReuseKeyOnRenewal               : False
SubjectName                     : CN=rbtesting
DnsNames                        : {}
Emails                          : 
UserPrincipalNames              : 
KeyUsage                        : {digitalSignature, keyEncipherment}
Ekus                            : {1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2}
ValidityInMonths                : 12
IssuerName                      : Self
CertificateType                 : 
RenewAtNumberOfDaysBeforeExpiry : 
RenewAtPercentageLifetime       : 10
EmailAtNumberOfDaysBeforeExpiry : 
EmailAtPercentageLifetime       : 
CertificateTransparency         : 
Enabled                         : True
Created                         : 22/07/2024 16:45:09
Updated                         : 25/07/2024 10:01:38

Thanks for looking at this!

Rob

[BethanyZhou]

Hi @RobB-OG,

Thanks for your information.

• For command $policy | Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname -Name $cert.Name

  • If piping $policy to Set-AzKeyVaultCertificatePolicy,
    • the property Curve in $policy will be mapped into parameter Curve due to the definition of ValueFromPipelineByPropertyName
    • check validate possible values defined in ValidateSet and found it is a null.

          /// <summary>
          /// Elliptic Curve Name of the key
          /// </summary>
          [Parameter(Mandatory = false,
                     **ValueFromPipelineByPropertyName = true,**
                     HelpMessage = "Specifies the elliptic curve name of the key of the ECC certificate.")]
          [ValidateSet(Constants.P256, Constants.P384, Constants.P521, Constants.P256K, Constants.SECP256K1)]
          public string Curve { get; set; }

  - Please try Set-AzKeyVaultCertificatePolicy -VaultName $cert.Vaultname -Name $cert.Name -InputObject $policy to work around this issue.

  • If policy object is provided, its value will pass to backend directly. there is no need to receive piping values for other parameters. To fix this issue, ValueFromPipelineByPropertyName should be removed not only for Curve, but also KeySize and CertificateTransparency.

• For command $cert | Set-AzKeyVaultCertificatePolicy -RenewAtNumberOfDaysBeforeExpiry $null -RenewAtPercentageLifetime $null,

  • The issue is the two parameters are nullable, but they define ValidateRange().

          /// <summary>
          /// RenewAtNumberOfDaysBeforeExpiry
          /// </summary>
          [Parameter(Mandatory = true,
              ParameterSetName = ExpandedRenewNumberParameterSet,
              HelpMessage = "Specifies the number of days before expiration when automatic renewal should start.")]
          [ValidateRange(1, int.MaxValue)]
          public int? RenewAtNumberOfDaysBeforeExpiry { get; set; }
  
          /// <summary>
          /// RenewAtPercentageLifetime
          /// </summary>
          [Parameter(Mandatory = false,
              ParameterSetName = ExpandedRenewPercentageParameterSet,
              HelpMessage = "Specifies the percentage of the lifetime after which the automatic process for the certificate renewal begins.")]
          [ValidateRange(0, 99)]
          public int? RenewAtPercentageLifetime { get; set; }

  • To fix this issue, only check their ranges if not null. Attribute ValidateRange can't handle this case, need to move the range validation during the execution process of command.