1

I was trying to Create a Application in Azure AD with Azure PowerShell Certificate authentication, below is the Powershell snippet:

Login-AzureRmAccount

$certPassword = ConvertTo-SecureString $CertPassword -AsPlainText -Force

$x509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList     $certPath,$certPassword

$credValue = [System.Convert]::ToBase64String($x509.GetRawCertData())

$adapp = New-AzureRmADApplication -DisplayName $ApplicationName -HomePage $URL -IdentifierUris $URL -CertValue $credValue -StartDate $startDate -EndDate $endDate     

$sp = New-AzureRmADServicePrincipal -ApplicationId $adapp.ApplicationId

Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName  -ServicePrincipalName $sp.ServicePrincipalNames[1] -PermissionsToKeys all –PermissionsToSecrets all -ResourceGroupName $ResourceGroupName

The Azure AD application was created successfully, however for Azure AD application with Certificate Authentication, the customKeyIdentifier and value of in the keyCredentials is null after creation, this is the portion of manifest of my application I downloaded from Azure portal:

"keyCredentials": [{
      "customKeyIdentifier": null,
      "endDate": "2018-01-25T11:55:35.7680698Z",
      "keyId": "ca1e536c-2220-478b-af73-1198d125bb5f",
      "startDate": "2017-01-25T11:55:35.7680698Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    } ]

The certificate is a self signed certificate created using makecert command generated locally. I am using Powershell Version of 2.0.1

C# Code to retrieve the token with Application Id & Thumbprint

public static async Task GetAccessToken(string authority, string resource, string scope) { var context = new AuthenticationContext(authority, TokenCache.DefaultShared); var result = await context.AcquireTokenAsync(resource, AssertionCert); return result.AccessToken; }

This Code errors out at var result with "Keyset does not exists"

Is there any way to resolve this issue?

Thank you :)

Improve this question

1 Answer 1

Reset to default
1

Did you look at the answer here?

Create a Application in Azure AD with Azure PowerShell Certificate authentication

In the comments he mentions that CustomKeyIdentifier being null does not matter for authentication.

Did you try authenticating regardless of the null value?\

EDIT: If you want to generate a thumbprint for a public certificate you own, you can do so using the following powershell cmdlets:

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import(“mycer.cer”)
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)

I hope this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

So your issue is about the value being null rather than your application not working?
I have written the same code as mentioned above as per the Powershell Version (2.0.1). The commandlets have changed for creating new AzureADApplication in this version. But authenticating AD application with certificate to retrieve Keyvault secret doesn't work... Hence, I was looking at the manifest file, there I found "customKeyIdentifier": null. How to get this value? Or any Powershell commands to create AD application with certificate & get this CustomerKeyIdentifier Value
To my knowledge, the CustomKeyIdentifier is not a strictly defined property. It is supposed to represent the Thumbprint of the public certificate which is uploaded into that key credential, but it's value is not set automatically set by AAD, so a user could POST anything that matches the size of a x509 thumbprint. I will include a code sample on how to generate this yourself in my post above.
Thanks for your prompt reply Shawn.. Basically I want to authenticate an AD application with certificate to retrieve KeyVault secret. Particularly in this Powershell version the commandlets have changed...and the code for creating AD application with certificate using powershell works fine... But at c# level when I try to retrieve the keyvault secret by passing the ApplicationID & Thumbprint....It errors out saying "Keyset does not exist"...My Console app can retrieve the Certificate thumbprint also could not authenticate the application with certificate...So while searching for the error..
learn.microsoft.com/en-us/azure/key-vault/… I am referring this documentation link

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.