Cannot update KeyCredential 'Value' in Azure application manifest

Question

When trying to update the manifest file of my Azure AD application, I receive the following error ( see screen shot ):

Failed to save manifest. Error details: KeyValueMustBeNull"

I am attempting to update the 'Value' attribute of the keyCredentials in the manifest, but it will not allow me to do so. It will let me upload a manifest with the Value set, but then it wipes it out and resets it back to null. I have duplicated this problem on both the new Azure Portal and old management portal.

How can I fix it?

Answer 1

While the instructions you linked above look similar to this, I would try following these instructions as they have worked for me in the past when trying to add Certificated to my application.

Note that this uses the old Azure Management Portal versus the new Azure Portal which it looks like you are using.

Step 0: (If you do not have an X.509 certificate already) Create a self-issued certificate

You can easily generate a self-issued certificate with the makecert.exe tool.

1. From the command line, run: makecert -r –pe -n “CN=MyCompanyName MyAppName Cert” -b 12/15/2014 -e 12/15/2016 –ss my –len 2048

2. Open the Certificates MMC snap-in and connect to your user account. Find the new certificate in the Personal folder and export it to a base64-encoded CER file.

Note: Make sure the key length is at least 2048 when generating the X.509 certificate. Shorter key length are not accepted as valid keys.

Step 1: Get the base64 encoded cert value and thumbprint from a .cer X509 public cert file using PowerShell

Note: The instructions below show using Windows PowerShell to get properties of a x.509 certificate. Other platforms provide similar tools to retrieve properties of certificates.

 $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cer.Import(“mycer.cer”) $bin = $cer.GetRawCertData() $base64Value = [System.Convert]::ToBase64String($bin) $bin = $cer.GetCertHash() $base64Thumbprint = [System.Convert]::ToBase64String($bin) $keyid = [System.Guid]::NewGuid().ToString()

Store the values for $base64Thumbprint, $base64Value and $keyid, to be used in the next step.

Step 2: Upload cert through the manifest file

1. Log in to the Azure Management Portal ( https://manage.windowsazure.com )

2. Go to the AAD snap-in and there navigate to the application that you want to configure with an X.509 certificate

3. Download the application manifest file through the Azure Management Portal

4. Replace the empty “KeyCredentials”: [], property with the following JSON. NOTE: The KeyCredentials complex type is documented here: http://msdn.microsoft.com/en-us/library/azure/dn151681.aspx

    “keyCredentials“: [ { “customKeyIdentifier“: “$base64Thumbprint_from_above”, “keyId“: “$keyid_from_above“, “type”: “AsymmetricX509Cert”, “usage”: “Verify”, “value”: “$base64Value_from_above” } ],

   Eg

    “keyCredentials“: [ { “customKeyIdentifier“: “ieF43L8nkyw/PEHjWvj+PkWebXk=”, “keyId“: “2d6d849e-3e9e-46cd-b5ed-0f9e30d078cc”, “type”: “AsymmetricX509Cert”, “usage”: “Verify”, “value”: “MIICWjCCAgSgAwIBA***omitted for brevity***qoD4dmgJqZmXDfFyQ” } ],

5. Save the change to the application manifest file.

6. Upload the edited application manifest file through the Azure Management Portal.

7. Optional: Download the manifest again, and see your X.509 cert is present on the application.

Let me know if you are still getting the same error after these steps.

Answer 2

I ran into this and the fix was that I was trying to update the customKeyIdentifier. Apparently Azure doesn't like this because the key they have saved doesn't match.

I just copied the keyCredentials out and saved the manifest with the keyCredentials blank and then put the values back in making sure the change the GUID in the keyID field.

You could probably just change the GUID though.

Answer 3

I used PowerShell to upload the certificate details. It worked for me. Open a PowerShell window and try the following commands.

Install-Module AzureAD
Connect-AzureAD

The last command will ask for credentials.

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import("Yourcertpath\cername.cer")
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-AzureADApplicationKeyCredential -ObjectId 46xxx45e-xxxx-xxx-xxxx-xxxxxxxxxxx -Type AsymmetricX509Cert -Value $credValue -Usage Verify

Remember to replace the object id with the object id of your AD application.