Export/Public/Add-CertificatesToKeyVault.ps1

function Add-CertificatesToKeyVault {
    [CmdletBinding()]
    <#
    .SYNOPSIS
        ...
    .DESCRIPTION
        ...
    #>

    param(
        [Parameter(Mandatory = $true)]
        [string]
        $ResourceGroupName,        
        [Parameter(Mandatory = $true)]
        [string]
        $ResourceLocation,
        [Parameter(Mandatory = $true)]
        $KeyVaultName,
        [Parameter(Mandatory = $true)]
        [Object[]]
        $Certificates
    )
    process {
        function Get-NewSelfSignedCertificate() {
            [CmdletBinding()]
            param
            (
                [Parameter(Mandatory = $true)]
                [string]
                $DnsName,
                [Parameter(Mandatory = $true)]
                [SecureString]
                $CertificatePassword,
                [Parameter(Mandatory = $false)]
                [string]
                $CertificateStoreLocation = "cert:\LocalMachine\My",
                [Parameter(Mandatory = $false)]
                [string]
                $TargetFilename
            )
            Write-Verbose "Generating new self-signed certificate"
            if (-not($TargetFilename)) {
                $TargetFilename = New-TemporaryFile | Rename-Item -NewName { $_ -replace 'tmp$', 'pfx' } -PassThru | Select-Object -ExpandProperty FullName
            }
            Write-Verbose "Target Filename is: $TargetFilename"
            $certificate = New-SelfSignedCertificate -DnsName $DnsName -CertStoreLocation $CertificateStoreLocation -NotAfter (Get-Date).AddYears(5)
            $fileinfo = Get-ChildItem -Path $certificate.PSPath | Export-PfxCertificate -FilePath $TargetFilename -Password $CertificatePassword

            # Remove from local storage
            Get-ChildItem -Path $certificate.PSPath | Remove-Item -Force
            $fileinfo.FullName
            
        }
        function Get-CertificateThumbprint {
            #
            # This will return a certificate thumbprint, null if the file isn't found or throw an exception.
            #
        
            param (
                [parameter(Mandatory = $true)][string] $CertificatePath,
                [parameter(Mandatory = $false)][SecureString] $CertificatePassword
            )
        
            try {
                if (!(Test-Path $CertificatePath)) {
                    return $null;
                }
        
                $certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
                $certificateObject.Import($CertificatePath, $CertificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet);
        
                return $certificateObject.Thumbprint
            }
            catch [Exception] {
                #
                # Catch accounts already added.
                throw $_;
            }
        }
        $keyVault = Get-AzKeyVault -ResourceGroupName $ResourceGroupName -VaultName $KeyVaultName -ErrorAction SilentlyContinue         
        if (-not($keyVault)) {
            Write-Verbose "KeyVault $KeyVaultName does not exists. Stopping here."
            return
        }
        $generatedCertificatePath = ""
        foreach ($certificate in $Certificates) {
            if (-not($certificate.Path)) {
                if ($generatedCertificatePath) {
                    $certificate.Path = $generatedCertificatePath
                }
            }
            if (-not($certificate.Path)) {
                if (-not($certificate.DnsName)) {
                    throw "You need to set DnsName for certificate-element if you don't provide an existing file."
                }
                $generatedCertificatePath = Get-NewSelfSignedCertificate -DnsName $certificate.DnsName -CertificatePassword (ConvertTo-SecureString -String $certificate.Password -Force -AsPlainText) -Verbose:$Verbose
                $certificate.Path = $generatedCertificatePath
            }            
            if ($generatedCertificatePath) {
                $source = "Temporary Self-Signed Certificate"
            }
            else {
                $source = "Existing Certificate"
            }
            $tags = @{
                "AddedOn"    = "$(get-date -format yyyyMMddhhmmss)"
                "FromSource" = $source
            }
            if (-not($generatedCertificatePath)) {
                $tags += @{"SourceFile" = "$(Split-Path $certificate.Path -Leaf)" }
            }            
            Write-Verbose "Checking if Certificate $($certificate.Type) already exists in KeyVault..."
            $vaultCert = Get-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $certificate.Type -ErrorAction SilentlyContinue
            if ($vaultCert) {
                if ($vaultCert.Thumbprint -ne (Get-CertificateThumbprint -CertificatePath $certificate.Path -CertificatePassword (ConvertTo-SecureString -String $certificate.Password -Force -AsPlainText))) {
                    Write-Verbose "Updating Certificate $($certificate.Type) and password in KeyVault..."
                    Import-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $certificate.Type -FilePath $certificate.Path -Password (ConvertTo-SecureString -String $certificate.Password -AsPlainText -Force) -Tag $tags | Out-Null
                    Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name "$($certificate.Type)-CertPassword" -SecretValue (ConvertTo-SecureString -String $certificate.Password -AsPlainText -Force) | Out-Null
                }
                else {
                    Write-Verbose "Certificate $($certificate.Type) already exists in KeyVault..."
                }
            }
            else {                
                Write-Verbose "Adding Certificate $($certificate.Type) and password to KeyVault..."
                Import-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $certificate.Type -FilePath $certificate.Path -Password (ConvertTo-SecureString -String $certificate.Password -AsPlainText -Force)  -Tag $tags | Out-Null
                Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name "$($certificate.Type)-CertPassword" -SecretValue (ConvertTo-SecureString -String $certificate.Password -AsPlainText -Force) | Out-Null
            }
        }
    }
}