# Before execution make sure to have logged in to Azure (Login-AzureRmAccount)
# and selected the correct subscription (Select-AzureRmSubscription)

Param
(
    [Parameter(Mandatory = $true)]
    [string]
    $CertificateName,

    [Parameter(Mandatory = $true)]
    [string]
    $PfxFile,

    [Parameter(Mandatory = $true)]
    [string]
    $VaultName
)

$resourceId = $null
try
{
    $existingKeyVault = Get-AzureRmKeyVault -VaultName $VaultName
    $resourceId = $existingKeyVault.ResourceId

    Write-Host "Using existing valut $VaultName in $($existingKeyVault.Location)"
}
catch
{
    throw "Unable to find KeyVault named $VaultName"
}

$securePass = Read-Host 'Password: ' -AsSecureString
$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass))

$PfxPath = Resolve-Path $PfxFile

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxPath, $password
$bytes = [System.IO.File]::ReadAllBytes($PfxPath)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
   data = $base64
   dataType = 'pfx'
   password = $password
   } | ConvertTo-Json

$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)
$secretValue = ConvertTo-SecureString -String $content -AsPlainText -Force

Write-Host "Writing secret to $CertificateName in vault $VaultName"
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name $CertificateName -SecretValue $secretValue

$output = @{};
$output.SourceVault = $resourceId;
$output.CertificateURL = $secret.Id;
$output.CertificateThumbprint = $cert.Thumbprint;

return $output;