how to extract the PFX data from an Azure keyvault to apply to the authentication setting of a Send Message of a logic app

Question

how to extract the PFX data from an Azure keyvault to apply to the authentication setting of a Send Message of a logic app

Chris Dent 0

I need to upgrade the authentication on a logic app action Send Messgae tp ClintCertificate.

I have the CA issued certificate in a Keyvault.

When I try to extract the pfx details using

"authentication": {
      "type": "ClientCertificate",
      "pfx": "@{body('Get_Certificate_Keys_secret')?['value']}",
      "password": "@{body('Get_Certificate_Password_secret')?['value']}"

the run errors with

BadRequest Could not load the certificate private key. Please check the authentication certificate password is correct and try again.

Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-11-26T04:54:37.1333333+00:00

Hello Chris Dent,

Where exactly you're getting above error?

key vault connector or send message connector?
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-11-28T04:35:17.2333333+00:00

Hello Chris Dent,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Chris Dent 0 Reputation points

2025-11-28T10:06:28.3166667+00:00

The error appear on the SendMessage

To fetch the secret I using "Get Secret" and selecting the "Certificate" name, but the values extracted is without the private Key
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-11-28T10:17:46.3633333+00:00

Hello Chris Dent,

Please use below expression to change PFX to Binay.in Http connector authentication.

Convert Base64 → Binary using below expression.

base64ToBinary(--pass key vault secret --)
Chris Dent 0 Reputation points

2025-11-28T10:24:30.34+00:00
I tried the:

base64ToBinary(--pass key vault secret --)

as

"authentication": { "type": "ClientCertificate", "pfx": "@{base64ToBinary(body('Get_Certificate_Keys_secret')?['value'])}", "password": "@{body('Get_Certificate_Password_secret')?['value']}" }

but I get an error

BadRequest The authentication certificate is not formatted correctly. Could not load the certificate.

I put a comment on Adam Response

Thanks Adam

for:

What actually works:

In Key Vault, go to Certificates → your cert → Download in PFX format.

Confirm the certificate also created a secret entry. The secret must contain only the Base64 PFX.

In your Logic App, reference that secret directly:

BUT:

When I download the Certificate using Download in PFX format., it exports a file, but it does not create a secret entry ? - is there a setting somewhere (like policy) that instructs the download to conduct the "secret" to be created.

The issue I have is there is no value in the KeyVault secret to pull. the Certificate is only in the "Certificate" section of the keyvault.
Chris Dent 0 Reputation points

2025-11-28T10:48:38.29+00:00

Im looking at

Exportable or non-exportable key

When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy that's used to create the certificate must indicate that the key is exportable. If the policy indicates that the key is non-exportable, then the private key isn't a part of the value when it's retrieved as a secret.

I read that the policy used, is created during the CA certificate import - does this mean the missing Private Key is because its been declared as non Exportable by GlobalSign (the CA) in the file they sent us?
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-12-01T04:09:42.7933333+00:00
Hello Chris Dent,

When you create or import a certificate in Key Vault, you specify a certificate policy. This policy includes whether the private key is exportable.

If you generate the certificate in Key Vault, you can set exportable to true in the policy.

If you import a certificate from a CA (like GlobalSign), Key Vault respects the properties of that PFX. If the CA issued the certificate with a non-exportable private key, Key Vault cannot override that—it will store the certificate but will not create a secret containing the private key.

Result: The backing secret will either be missing or will only contain the public part (PEM), not the full PFX with private key.

So yes, if GlobalSign provided a PFX that was marked non-exportable, or if they only sent you a CER (public key only), Key Vault cannot produce an exportable secret. You’d need to:

Options to fix this:

Request an exportable PFX from the CA (with private key and password).

Or generate the certificate in Key Vault (with exportable key policy) and have the CA sign it via CSR.

If you only have a CER, you can’t get the private key from it—Key Vault won’t create a usable secret for Logic Apps.
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-12-04T06:30:12.05+00:00

Hello Chris Dent,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-11-26T04:54:37.1333333+00:00

Hello Chris Dent,

Where exactly you're getting above error?

key vault connector or send message connector?
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-11-28T04:35:17.2333333+00:00

Hello Chris Dent,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Chris Dent 0 Reputation points

2025-11-28T10:06:28.3166667+00:00

The error appear on the SendMessage

To fetch the secret I using "Get Secret" and selecting the "Certificate" name, but the values extracted is without the private Key
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-11-28T10:17:46.3633333+00:00

Hello Chris Dent,

Please use below expression to change PFX to Binay.in Http connector authentication.

Convert Base64 → Binary using below expression.

base64ToBinary(--pass key vault secret --)
Chris Dent 0 Reputation points

2025-11-28T10:24:30.34+00:00

I tried the:

base64ToBinary(--pass key vault secret --)

as

"authentication": { "type": "ClientCertificate", "pfx": "@{base64ToBinary(body('Get_Certificate_Keys_secret')?['value'])}", "password": "@{body('Get_Certificate_Password_secret')?['value']}" }

but I get an error

BadRequest The authentication certificate is not formatted correctly. Could not load the certificate.

I put a comment on Adam Response

Thanks Adam

for:

What actually works:

In Key Vault, go to Certificates → your cert → Download in PFX format.

Confirm the certificate also created a secret entry. The secret must contain only the Base64 PFX.

In your Logic App, reference that secret directly:

BUT:

When I download the Certificate using Download in PFX format., it exports a file, but it does not create a secret entry ? - is there a setting somewhere (like policy) that instructs the download to conduct the "secret" to be created.

The issue I have is there is no value in the KeyVault secret to pull. the Certificate is only in the "Certificate" section of the keyvault.
Chris Dent 0 Reputation points

2025-11-28T10:48:38.29+00:00

Im looking at

Exportable or non-exportable key

When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy that's used to create the certificate must indicate that the key is exportable. If the policy indicates that the key is non-exportable, then the private key isn't a part of the value when it's retrieved as a secret.

I read that the policy used, is created during the CA certificate import - does this mean the missing Private Key is because its been declared as non Exportable by GlobalSign (the CA) in the file they sent us?
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-12-01T04:09:42.7933333+00:00

Hello Chris Dent,

When you create or import a certificate in Key Vault, you specify a certificate policy. This policy includes whether the private key is exportable.

If you generate the certificate in Key Vault, you can set exportable to true in the policy.

If you import a certificate from a CA (like GlobalSign), Key Vault respects the properties of that PFX. If the CA issued the certificate with a non-exportable private key, Key Vault cannot override that—it will store the certificate but will not create a secret containing the private key.

Result: The backing secret will either be missing or will only contain the public part (PEM), not the full PFX with private key.

So yes, if GlobalSign provided a PFX that was marked non-exportable, or if they only sent you a CER (public key only), Key Vault cannot produce an exportable secret. You’d need to:

Options to fix this:

Request an exportable PFX from the CA (with private key and password).

Or generate the certificate in Key Vault (with exportable key policy) and have the CA sign it via CSR.

If you only have a CER, you can’t get the private key from it—Key Vault won’t create a usable secret for Logic Apps.
Praveen Kumar Gudipudi 1,495 Reputation points Microsoft External Staff Moderator

2025-12-04T06:30:12.05+00:00

Hello Chris Dent,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

You’re running into this because Logic Apps can’t use the raw Base64 string from Key Vault as-is.

When you pull a certificate from Key Vault, the secret value is the full PFX encoded in Base64.

Logic Apps expects a clean Base64 PFX string with the correct password, and the most common failure is either:

The secret is stored as a Key Vault certificate object, not a secret, or

The value includes extra JSON fields instead of being the raw Base64 PFX.

What actually works:

In Key Vault, go to Certificates → your cert → Download in PFX format.

Confirm the certificate also created a secret entry. The secret must contain only the Base64 PFX.

In your Logic App, reference that secret directly:

"authentication": {
  "type": "ClientCertificate",
  "pfx": "@{body('Get_Certificate_Secret')['value']}",
  "password": "@{body('Get_Certificate_Password')['value']}"
}

Make sure you use Get Secret, not Get Certificate. The Certificate object returns metadata and won’t work. You must retrieve:

The certificate’s secret, which is the Base64 PFX

The password stored as a separate secret

Once you switch to the secret version of the certificate, the BadRequest error disappears.You’re running into this because Logic Apps can’t use the raw Base64 string from Key Vault as-is. When you pull a certificate from Key Vault, the secret value is the full PFX encoded in Base64. Logic Apps expects a clean Base64 PFX string with the correct password, and the most common failure is either:

The secret is stored as a Key Vault certificate object, not a secret, or

The value includes extra JSON fields instead of being the raw Base64 PFX.

What actually works:

In Key Vault, go to Certificates → your cert → Download in PFX format.

Confirm the certificate also created a secret entry. The secret must contain only the Base64 PFX.

In your Logic App, reference that secret directly:

"authentication"

Make sure you use Get Secret, not Get Certificate. The Certificate object returns metadata and won’t work. You must retrieve:

The certificate’s secret, which is the Base64 PFX

The password stored as a separate secret

Once you switch to the secret version of the certificate, the BadRequest error disappears.

Chris Dent 0 Reputation points

2025-11-28T10:13:36.0266667+00:00

Thanks Adam

for:

"What actually works:

In Key Vault, go to Certificates → your cert → Download in PFX format.

Confirm the certificate also created a secret entry. The secret must contain only the Base64 PFX.

In your Logic App, reference that secret directly:"

HOWEVER,

When I download the Certificate using Download in PFX format., it exports a file, but it does not create a secret entry ? - is there a setting somewhere (like policy) that instructs the download to conduct the "secret" to be created.

Share via

how to extract the PFX data from an Azure keyvault to apply to the authentication setting of a Send Message of a logic app

Options to fix this:

1 answer

Your answer