How can i create a new certificate for my service principal in azure with powershell?
Have you referred to the online documentation already? This gives a step by step process using powershell.
This is creating a self signed certificate but for production, you should get one which is signed by a Certificate Authority(CA) LINK.
Related
I need to download a certificate from azure vault. When I use this method, CertificateClient.DownloadCertificateAsync local it works. However, when a publish to Azure I get this message Unhandled exception. System.Exception: Creating JWT bearer token failed.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified. Is the problem I don't have access to key vault or I cant "download" the certification the file system/environment. I want to say it is the file system because it runs on my local machine. Any suggestions on how to troubleshoot?
The error message indicates that you may have a problem with accessing your Azure Key Vault and/or downloading the certificate.
To troubleshoot the error, you can check the below steps:
Verify that the Certificate is not Expired.
Check whether you have the proper permissions to access the Azure Key Vault and download the certificate.
Ensure that the certificate exists in your Azure Key Vault and that the name and version are correct.
Also check that you have the correct connection details for your Azure Key Vault, including the correct URL, subscription ID, and tenant ID.
Check the network connection to your Azure Key Vault to make sure that it is accessible.
Try accessing the Azure Key Vault using the Azure CLI or Azure portal to see if the issue is with your code or with the Azure Key Vault.
If you continue to experience issues, you may want to look at the logs or event viewer to see if they provide any additional information.
C# Code to Download the Azure KeyVault Certificate
ClientSecretCredential clientCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var secretClient = new SecretClient(new Uri(keyVaultAddress), clientCredential);
var response = await secretClient.GetSecretAsync(certificateName);
var keyVaultSecret = response?.Value;
if (keyVaultSecret != null)
{
var privateKeyBytes = Convert.FromBase64String(keyVaultSecret.Value);
return new X509Certificate2(privateKeyBytes);
}
return null;
Azure CLI Command to download Key Vault Certificate.
az keyvault certificate download --vault-name YourKeyVaultName -n cert-name -e `DER/PEM`
Steps to publish a console program as a web job in Azure :
Package your console program as a deployment package, this is usually a ZIP file that contains the compiled executable and all its dependencies.
Create a web job in Azure App Service using Azure portal or using the Azure CLI /Powershell.
When you create the web job, you have to specify the type of web job - continuous or triggered, the deployment package, and any configuration settings.
Start the web job using Azure portal, the Azure CLI, or Azure Powershell. You can also configure the web job to start automatically when the App Service starts.
References taken from DownloadCertificateAsync Method and az keyvault certificate
I have created an Azure App Service Certificate - Wildcard and have linked it to an Azure Key Vault, also done with Domain Verification. Now I want to export this certificate as PFX and use in other components.
However, If I go to the Key Vault secret it shows up as blank.
I have tried running powershell scripts to export/download the cert but doesn't work.
The powershell script to export the cert from Key Vault is taken from https://azure.github.io/AppService/2017/02/24/Creating-a-local-PFX-copy-of-App-Service-Certificate.html
As this used the retired AzureRM module, I found a more up to date code which uses Azure Powershell scripts # https://raw.githubusercontent.com/Anitalex/poshscripts/a7e6c8153ab9f9979792eb8c07497cd42e39778d/azure/ExportWebAppCertificate.ps1
But similar set of steps..
I have tried Re-Keying the certificate in the App Service Certificate and the problem persists ?
Argh...
Here is the solution which doesn't seem to be documented anywhere..
I don't know if it's the only way, but looks like it - We have to
Create an Azure WebApp ( or an AppService)
Turn on TLS/SSL
Set an Identity - either System Assigned/User Assigned
Grant this Identity required permission to the KeyVault [ won't work with the Azure role-based access control (preview) ]
Go to the tab "Private Key Certificates (.pfx)"
Use the "Import App Service Certificate" - you will need to select your cert from the dropdowns.
Once the certificate is successfully imported, the pfx will be populated in the Key Vault certificate and now you can download.
I am trying to import a certificate from a Key Vault to an App Service to configure SSL in the Azure Government Cloud. When I do this I get an error stating:
Failed to get App Service Service principal details.
I am getting a similar error when I try to do this through an ARM template which it what caused me to try this manually. I have tried giving my App Service a managed identity and giving that identity access to the key vault. I have tried a technique that worked in the regular Azure Cloud of giving "Microsoft Azure App Service" account permission to the key vault but that doesn't seem to exist in the Government Cloud.
I would have expected this to simply work and allow me to configure my SSL correctly on the app service so I don't need to manage the certificates individually on every app service.
You have to enable in the Identity of your app services that can be assigned through the azure permissions, then you have to go to the KeyVault and grant the permissions to the App Services.
https://learn.microsoft.com/en-us/azure/app-service/media/app-service-managed-service-identity/msi-blade-system.png
More information:
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
https://learn.microsoft.com/es-es/azure/key-vault/tutorial-net-create-vault-azure-web-app
https://azure.microsoft.com/en-us/resources/samples/app-service-msi-keyvault-dotnet/
I eventually found the solution to the issue.
Following the directions found here:
https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault
I tried to authorize the 'Microsoft.Azure.WebSites' Resource Provider as described in the link, but that GUID doesn't exist in the Government Cloud.
This link however does give you the equivalent GUID for the Government Cloud:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-government/documentation-government-services-webandmobile.md#app-services
After using the script from the first link with the GUID value from the second link I was able to get both deployments and manual SSL added.
In Azure Key Vault Certificate will be auto renewed nearer to expiry date.
would like to know how can renewed certificate be uploaded to App-Service/ Azure Functions.
Is there a hook available on KeyVault to listen for Certificate successful recreation. so Thumbprint and renewed certificate will be updated to App Service.
No, there is no such hook. You can use azure powershell\cli\rest api\whatever to retrieve the certificate and push it to the app service. You can configure Azure Function\Runbook to do that on a schedule, so you dont have to worry about it.
Rest Api: https://learn.microsoft.com/en-us/rest/api/appservice/certificates/createorupdate
Powershell: https://learn.microsoft.com/en-us/azure/app-service/scripts/powershell-configure-ssl-certificate
Azure Cli: https://learn.microsoft.com/en-us/azure/app-service/scripts/cli-configure-ssl-certificate
I am following directions here for learning the AzureKeyVault config settings
Key Vault Configuration Provider sample application (ASP.NET Core 2.x)
This sample illustrates the use of the Azure Key Vault Configuration
Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see
Key Vault Configuration Provider sample application (ASP.NET Core
1.x).
For more information on how the sample works, see the Azure Key Vault
configuration provider topic.
Using the sample
Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key
Vault.
Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the
PowerShell
Gallery,
the Azure Key Vault REST API, or the Azure
Portal. Secrets are created as either
Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the
configuration provider. You should use the Manual option to create
name-value pair secrets for use with the configuration provider.
Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used
to delimit a section from a subkey in ASP.NET Core
configuration, aren't allowed
in secret names. Therefore, two dashes are used and swapped for a
colon when the secrets are loaded into the app's configuration.
Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second
secret creates a secret value with a section and subkey in the secret
name:
SecretName: secret_value_1
Section--SecretName: secret_value_2
Register the sample app with Azure Active Directory.
Authorize the app to
access the key vault. When you use the
Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the
app to access the key vault, provide List and Get access to
secrets with -PermissionsToSecrets list,get.
Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.
Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. *
Non-hierarchical values: The value for SecretName is obtained with
config["SecretName"]. * Hierarchical values (sections): Use :
(colon) notation or the GetSection extension method. Use either of
these approaches to obtain the configuration value:
config["Section:SecretName"]
config.GetSection("Section")["SecretName"]
Okay so I have copied the name of my application into Azure Active Directory as an 'Enterprise Application'. And I have added 'Access policies' for 'get' and 'list' in Azure for my ADD object I just created. Yet I get this error in the program when attempting to start the application:
Exception: {"error":"unauthorized_client","error_description":"AADSTS70001:
Application with identifier '(guid)' was not found in the directory ...(continues)
Update 8-4-18
Okay I found out that Azure uses the 'ClientId' and 'ClientSecret' in the local appsettings.json to connect to what Azure registers in this tutorial: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application
I get the clientId in appsettings.json from the applicationId on ADD I create with ADD>App Registrations>New
I click settings in ADD on the app I just created and create a key with an expiration to store as ClientSecret in appsettings.json.
I change my 'Vault' in appsettings to my named vault.
I run the powershell above to give access or else do it in ADD.
So now I am getting a simpler error:
'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''
I have tried running as Administrator in Visual Studio. I went under Subscriptions in Azure>Access Control>(IAM)>set my new apps to Reader.
So the reason your powershell is failing is because you are trying to assign a User Principal - a user - when actually you want a Service Principal.
I can’t see your C# to support more there than saying when you use the SDK to log in as the Service Principal you use the application id of the Application/Service Principal (its the same id).
The service principal acts like a user in the local directory but you log in as the application.
Edit:
I looked at the example you posted and ran it myself and had very similar problems. However I have got it working. Here's the steps:
Creating the Application
Create the Registered Application. I do this through the Azure Portal so
a Service Principal is created automatically. Make a note of the ApplicationId.
Generate a key credential on the created application and make a note of it.
In the Application click on the link to the Managed app in local directory. This is the Service Principal, make a note of the ObjectId
Creating the Key Vault
Create KeyVault - I used PowerShell to do this. New-AzureRmKeyVault
Apply the Service Principal to the Key Vault.
Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List
Running the Sample App
In your application settings follow this format:
{
"Vault": <the name of your vault>,
"ClientId": <ApplicationId of the Registered Application>,
"ClientSecret": <Credential generated from the Registered Application>
}
This worked for me and allowed me to run the sample and retrieve the secrets from the vault.
The ultimate problem for me became that running 'Set-AzureRmKeyVaultAccessPolicy' was not needed and for whatever reason it was easier to just ignore it and follow this subsection: https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize
I kept trying to set up Object Id and Keys and really I had just overlooked a section mentioning a 'ServerPrincipalName'
They set one commandlet for keys
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign
They set one commandlet for secrets
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List
But I decided to follow the immediate proceeding section on doing it all in the Portal. The key take away for me was that the instructions were not wrong. Just vague when it says: "Register a sample app" then "Authorize the App". Really they should be saying
Register a sample app (https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register)
Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)
Ultimately all the information is there it was just confusing if you happen to already have a vault and an application and don't understand the prerequisite is that really you need to have a 1. A Vault, 2. An ADD Web Application, 3. Associate permissions for 2 in 1.