Wednesday, May 1, 2019

Fetching a Private Key From An Azure Key Vault Certificate

If you create a private certificate in Azure Key Vault and use the fancy features like auto rotation, you might like to be able to fetch the private key from the vault and rehydrate it as a X509Certificate2 class in your C# code.

Here is how you do that:

KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
var certificateBundle = await keyVaultClient.GetCertificateAsync(certificateIdentifier);
var certficiateSecret = await keyVaultClient.GetSecretAsync(certificateBundle.SecretIdentifier.Identifier);
byte[] certificateDecoded = Convert.FromBase64String(certficiateSecret.Value);
var certificate = new X509Certificate2(certificateDecoded, password: "");

The Certificate Bundle passed back from the GetCertificateAsync call has a .Cer property, however that is just the bytes for the pubic key, if you do this:

var publicCertificate = new X509Certificate2(certificateBundle.Cer);

The X509Certificate2 instance will only contain the public key.  Instead you need to fetch the full secret and decode it to bytes, once you do that the only other thing you need to know is that Azure Key Vault stores the private certificate with a blank password.

GetToken is a method above, that the Key Vault Client uses to fetch the authication that will be used to access both the certificate and the secrets.  Notice the caller needs both secrets Get, and certificate Get access policy set in the portal for the Azure Key Vault.  

For More Information About How GetToken Works


Sunday, June 24, 2018

Regex to search VSCode for Azure subscription keys

Before you check in code, make sure the Azure subscription keys are removed or replaced with obvious markers.

In VSCode, select the magnifying glass, the select the last icon on the line, "*." indicating the search is by regular expression. Enter [a-z0-9]{32} in the search text box and select enter.

The search results appear below the search text box. Scan the results for any highlighted keys that are real key values.

Wednesday, May 16, 2018

Changing TLS setting for Azure web apps including Bot Framework

If you need to change the TLS setting for you Azure web apps, including Bot Framework apps, go to the Azure portal. In the left navigation, select All Resources, sort the table by the type column.

Any row with the type of app service may need the TLS setting updated based on on the service announcement here.

On each service, select the SSL section, and change the Minimum TLS Version.

Tuesday, January 16, 2018

Curl command for Microsoft Cognitive Services product QnA Maker

This is the curl command to send QnA Maker a question and receive the answer:

curl -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key:<subscriptionKey>" -X POST -d '{"question":"<question>"}'<appID>/generateAnswer

<subscriptionKey> found on
<appID> found in url when view app, ?kbid=<appID>
<question> question such as "How do I ...?"

Monday, January 15, 2018

Debug mocha.js with VSCode

This is my cheat sheet for debugging the mocha.js project from VSCode while adding fixes to it. This is not about how to debug ANY project that is using mocha for testing.

The mocha.js repository has a build system that builds into /bin/mocha.

I don't use a package.json script. I just use a launch.json mocha test configuration:

// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit:
"version": "0.2.0",
"configurations": [
"type": "node",
"request": "launch",
"name": "Mocha Tests",
"program": "${workspaceFolder}/bin/_mocha",
"args": [
"internalConsoleOptions": "openOnSessionStart"

  • The program value has to be changed from the node_modules directory to the /bin directory. The top level file is supposed to be bin/_mocha but it won't debug. 
  • Remove any timeout args from the args array. 
  • Specify the exact file you want to debug into such as "dina.spec.js"

Sunday, October 15, 2017 for Windows 10 Desktops in the cloud

I recently needed a clean Windows 10 desktop for testing purposes. I couldn't use Docker, Vagrant, VirtualBox or any of the other local-to-my-computer VM solutions. I tried the Amazon Workspaces solution but it had the typical UX of 30 questions I don't know the answer to. I just wanted a desktop that could download from the Internet. to the rescue!

Within 5 minutes I had a Windows 10 desktop in a browser and the hardest questions where how much CPU and ram I wanted. The cost was incredibly inexpensive too.

The test only took 10 minutes and I destroyed the cloud machine after that.

This was the easiest, fastest, and cheapest solution to the problem.