使用 KeyVault 和 Azure PowerShell 证书身份验证创建 Azure AD 应用程序

Question

I was trying to Create a Application in Azure AD with Azure PowerShell Certificate authentication, below is the Powershell snippet:

Login-AzureRmAccount

$certPassword = ConvertTo-SecureString $CertPassword -AsPlainText -Force

$x509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList     $certPath,$certPassword

$credValue = [System.Convert]::ToBase64String($x509.GetRawCertData())

$adapp = New-AzureRmADApplication -DisplayName $ApplicationName -HomePage $URL -IdentifierUris $URL -CertValue $credValue -StartDate $startDate -EndDate $endDate     

$sp = New-AzureRmADServicePrincipal -ApplicationId $adapp.ApplicationId

Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName  -ServicePrincipalName $sp.ServicePrincipalNames[1] -PermissionsToKeys all –PermissionsToSecrets all -ResourceGroupName $ResourceGroupName

The Azure AD application was created successfully, however for Azure AD application with Certificate Authentication, the customKeyIdentifier and value of in the keyCredentials is null after creation, this is the portion of manifest of my application I downloaded from Azure portal:

"keyCredentials": [{
      "customKeyIdentifier": null,
      "endDate": "2018-01-25T11:55:35.7680698Z",
      "keyId": "ca1e536c-2220-478b-af73-1198d125bb5f",
      "startDate": "2017-01-25T11:55:35.7680698Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    } ]

The certificate is a self signed certificate created using makecert command generated locally. I am using Powershell Version of 2.0.1

C# Code to retrieve the token with Application Id & Thumbprint

public static async Task GetAccessToken(string authority, string resource, string scope) { var context = new AuthenticationContext(authority, TokenCache.DefaultShared); var result = await context.AcquireTokenAsync(resource, AssertionCert); return result.AccessToken; }

This Code errors out at var result with "Keyset does not exists"

Is there any way to resolve this issue?

Thank you :)

Answer 1

Did you look at the answer here?

Create a Application in Azure AD with Azure PowerShell Certificate authentication

In the comments he mentions that CustomKeyIdentifier being null does not matter for authentication.

Did you try authenticating regardless of the null value?\\

EDIT: If you want to generate a thumbprint for a public certificate you own, you can do so using the following powershell cmdlets:

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import(“mycer.cer”)
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)

I hope this helps.