Why am I getting “Key credential start date is invalid.” trying to create a Active Directory Service Principal

5
votes

I've been trying to consolidate a bunch of operations around creating and refreshing AD Service Principals and Applications. The flow I'm having trouble with is:

  1. Get a cert out of Azure Key Vault
  2. Create a Service Principal (and Application) using the cert for authentication.
PS > Get-AzureKeyVaultCertificate -VaultName certs -Name CertName

Name        : CertName
Certificate : [Subject]
                CN=certName.foo.com

              [Issuer]
                CN=certName.foo.com

              [Serial Number]
                xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

              [Not Before]
                6/2/2017 5:41:26 PM

              [Not After]
                6/2/2018 5:51:26 PM

              [Thumbprint]
                XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Id          : https://certs.vault.azure.net:443/certificates/certname/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
KeyId       : https://certs.vault.azure.net:443/keys/certname/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SecretId    : https://certs.vault.azure.net:443/secrets/certname/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thumbprint  : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Tags        : {[Thumbprint, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]}
Enabled     : True
Created     : 6/3/2017 2:11:31 AM
Updated     : 6/3/2017 2:11:31 AM

PS > New-AzureRmADServicePrincipal -DisplayName "Cert access" -CertValue $([System.Convert]::ToBase64String($cert.Certificate.GetRawCertData())) -StartDate $cert.Certificate.GetEffectiveDateString() -EndDate $cert.Certificate.GetExpirationDateString()

New-AzureRmADServicePrincipal : Key credential start date is invalid.
At line:1 char:1
+ New-AzureRmADServicePrincipal -DisplayName "Cert access" - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-AzureRmADServicePrincipal], Exception
    + FullyQualifiedErrorId : Request_BadRequest,Microsoft.Azure.Commands.ActiveDirectory.NewAzureADServicePrincipalCommand

Why do I get Key credential start date is invalid?

1
powershellazureactive-directory

1 Answers

3
votes

According to your error log, it seems that time format is wrong. I suggest you could use [System.DateTime]::Now to set time. I test in my lab, I don't meet your error log, the following script works for me. I suggest you could test.

##import certificate to key valut
$Password = ConvertTo-SecureString -String "*******" -AsPlainText -Force
Import-AzureKeyVaultCertificate -VaultName "shuikey" -Name "ImportCert01" -FilePath "C:\shui.pfx" -Password $Password
##set start time and expire time
$now = [System.DateTime]::Now
$yearfromnow = $now.AddYears(1)
##Get certificate from key vault
$cert=Get-AzureKeyVaultCertificate -VaultName certs -Name CertName

New-AzureRmADServicePrincipal -DisplayName "Cert access" -CertValue $([System.Convert]::ToBase64String($cert.Certificate.GetRawCertData())) -StartDate $now -EndDate $yearfromnow

enter image description here