I'm using Terraform Acme provider to generate/renew certs and upload them to the Azure KV store.
In the attribute section, I see an attribute
[certificate_p12] - The certificate, any intermediates, and the private key archived as a PFX file (PKCS12 format, generally used by Microsoft products). The data is base64 encoded (including padding), and its password is configurable via the [certificate_p12_password] argument. This field is empty if creating a certificate from a CSR.
Is this attribute supposed to be a full chain? (as it is an archive of The certificate, any intermediates, and the private key)
When I exported it to Azure KV and checked the content(.crt) it showed that it had only the issuer cert and not the intermediate certs.
This really sounds like a question better suited to whatever support channels exist for that software. But based on what you've posted, it appears the contents of certificate_p12 should include the full chain (i.e., the leaf cert plus any intermediate cert(s), but not the root cert), plus the private key.
The question is probably how did you export it from terraform and how are you checking it, because you're only seeing the leaf cert as a crt and you need the full pfx.
If the value is available as a base64 encoded pfx you should be able to export the entire base64 data, decode it to binary from base64 and it will literally be a PFX file (cert, intermediates and key).
I'm exporting it as a certificate to the Azure KV store using the terraform resource azurerm_key_vault_certificate.
Accessing the cert via Azure VM at path /var/lib/waagent/. I see <thumbprint>.crt and <thumbprint>.prv files.
I used this command to verify the details:
openssl x509 -in <thumbprint>.crt -text -noout
azurerm_key_vault_certificate seems to update the certificate in keyvault, what process updates the certificate in the VM at /var/lib/waagent/? That's where you are losing details (keyvault will have your certificate, intermediates and key, the VM only has an export of the leaf cert and key).
Have you downloaded the PFX directly from keyvault and inspected it to see if it does contain the intermediates (without converting it to component parts)?
I verified, and the certificate_p12 is a full chain. The VM only has an export of the leaf cert and key.
Yes, this is where I'm missing the full chain. Now, I'm looking at the options to access the Thumbprint(full chain) from the VM. Like using workload-identity credentials, etc.