Azure Authentication With Certificate Setup

0
votes

I'm trying to set up Azure Key Vault so I can access with a certificate from my PHP application. I'm trying to follow the steps at https://azurecto.com/azure-keyvault-authenticating-with-certificates-and-reading-secrets/, which says you have to create an AD application, but i'm getting error messages. This is what I tried.

A. I already have a self-signed .pfx file on my Windows machine.

B. Because I already have a .pfx file, i change up his steps a bit. I import the .pfx file into the console with 

$cert = Get-PfxCertificate -FilePath "C:\azurecrt.pfx"

C. Then it says to create some variables

$vaultName = 'Picklistsca1'
$dnsName = 'picklistsfakeurl.ca'
$dummyUrl = "http://$dnsName/"

D. Then it says call New-AzureRmADApplication. This is where I get into trouble.

$app = New-AzureRmADApplication 
    -DisplayName $dummyUrl 
    -HomePage $dummyUrl 
    -IdentifierUris $dummyUrl 
    -CertValue $cert 
    -StartDate '2018-04-07 6:40:23 PM' 
    -EndDate '2019-04-07 6:40:23 PM'

I get the error message "New-AzureRmADApplication : Cannot convert a primitive value to the expected type 'Edm.Binary'. See the inner exception for more details."

I think this is because the $cert has to be in base64 format, but everything I've tried to convert it to base64 fails. For example I've tried 

$bytes = [System.IO.File]::ReadAllBytes("C:\azurecrt.pfx")
$b64 = [System.Convert]::ToBase64String($bytes)

Then replace $cert with $b64 in New-AzureRmADApplication. That gives me the error "New-AzureRmADApplication : Invalid certificate: Key value is invalid certificate"

Any advice would be greatly appreciated. Thanks

1
azureactive-directorycertificate
You should not upload the private key! You need only the public key in a .cer file :)juunas
Azure AD only needs the public key to validate the request.juunas
And that should be in base64 .pem or the Windows world equivalent of that... .cer or .crt, one of the them is the right one :)evilSnobu

1 Answers

0
votes

I'm trying to set up Azure Key Vault so I can access with a certificate from my PHP application

You could get the answer and demo code from this tutorial. As juunas mentioned that you need a .cer file.

Following is the snippet from the tutorial

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.Import('c:\location\certificate.cer') # need a .cer file. $startDate = $certificate.GetEffectiveDateString() $endDate = $certificate.GetExpirationDateString() $credValue = [System.Convert]::ToBase64String($certificate.GetRawCertData()) $azureADApplication = New-AzureRmADApplication -DisplayName "{application name}" -HomePage "{application page}" -IdentifierUris "{application page}" -KeyValue $credValue -KeyType "AsymmetricX509Cert" -KeyUsage "Verify" -StartDate $startDate -EndDate $endDate

Update:

I have updated the code as following. I have tested it on my side.

$credValue = [System.Convert]::ToBase64String($certificate.GetRawCertData())
$azureADApplication = New-AzureRmADApplication -DisplayName "{application name}" -HomePage "{application page}" -IdentifierUris "{application page}" -CertValue $credValue  -StartDate $startDate -EndDate $endDate
$azureADApplication.ApplicationId
$principal= New-AzureRmADServicePrincipal -ApplicationId $azureADApplication.ApplicationId

enter image description here