1
votes

I have the following issue:

I'm trying to connect to Azure Vault using a certificate credential.

When trying to read a secret, I get AuthenticationFailedException with an internal NullReferenceException.

For brevity I'm only including the stack trace for the NullReferenceException:

This exception was originally thrown at this call stack:
    Azure.Identity.AadIdentityClient.CreateClientAssertionJWT(string, string, System.Security.Cryptography.X509Certificates.X509Certificate2)
    Azure.Identity.AadIdentityClient.CreateClientCertificateAuthRequest(string, string, System.Security.Cryptography.X509Certificates.X509Certificate2, string[])
    Azure.Identity.AadIdentityClient.Authenticate(string, string, System.Security.Cryptography.X509Certificates.X509Certificate2, string[], System.Threading.CancellationToken)
    Azure.Identity.ClientCertificateCredential.GetToken(Azure.Core.TokenRequestContext, System.Threading.CancellationToken)

The code:

            string keyVaultUrl = "https://somevault.vault.azure.net/";
            var clientId = "<Application (client) ID>";
            var tenantId = "<Directory (tenant) ID>";
            X509Certificate2 clientCertificate = new X509Certificate2(@"someCerFile.cer");
            ClientCertificateCredential certificateCreadential = new ClientCertificateCredential(tenantId, clientId, clientCertificate);
            var client = new SecretClient(new Uri(keyVaultUrl), certificateCreadential);
            var secret = client.GetSecret("Password"); //This line throws the exception

Vault configuration is done according to the steps outlined here:

https://docs.microsoft.com/en-us/azure/key-vault/general/authentication

Any ideas?

1
Is the PrivateKey is hydrated? X509Certificate2 clientCertificate = new X509Certificate2(@"someCerFile.cer"); if (null == clientCertificate) { throw new ArithmeticException("clientCertificate is null"); } { if (null == clientCertificate.PrivateKey) { throw new ArithmeticException("PrivateKey is null"); } } - granadaCoder
Ultimately, I would put try/catch around each object creation (skip the basic strings of course).....and then verify each "piece"...one by one.....to help find the culprit. then I'd look through the source : github.com/hidayath-ispace/azure-sdk-for-net/blob/… - granadaCoder

1 Answers

2
votes

Unfortunately the exception is not very helpful. However, I believe the issue here is you need to give a X509Certificate2 has the private key so the ClientCertificateCredential can sign the client assertion. The .cer file is only the public portion of the certificate. You will need to supply a .pfx file which contains both the certificate and the private key as well.