I recently had to copy a few certificates between Azure key vaults. These certificates were issued in one key vault but given access restrictions, they were consumed from another key vault.

Note 1: copying certificates between key vaults is generally a bad idea as the copied certificate will not follow any automatic renewal setup for the original.

The powershell script below was imported mostly from this StackOverflow answer. The primary change done was to use the X509Certificate2 class constructor instead of the Import method which is not recommended.

Note 2: you will need to login to Azure using Connect-AzAccount before running the script.

If you peruse the script, you will notice that we are using Get-AzKeyVaultSecret to get the PFX cert encoded as Base64 string, convert it to a byte[], and finally import the certificate using Import-AzKeyVaultCertificate.

You might be asking yourself what happened to Get-AzKeyVaultCertificate?. While that command does exist, it returns a PSKeyVaultCertificate object which is not compatible with the X509Certificate2Collection type required by the Import-AzKeyVaultCertificate.

Cheers,

Lucas