In the Azure App Registrations portal I need to generate a new certificate to let my domain services access the Graph.
I generate a certificate with Powershell like this:
New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My"
-Subject "CN=sampleAppCert" -KeySpec KeyExchange
The result looks good, but if I want to export this certificate with the certlm.msc to a file, it does not appear in the list.
If I add -DnsName 'my-domain.com' to the parameter list a certificate appears.
But regarding the Microsoft docs, this value should be left blank.
In general I am pretty confused to understand the different kinds of certificates and what the parameters mean.
If I use the -DnsName attribute - will this generate a SSL/TLS certificate to secure internet domains?
What does CN stand for instead?
Why is the certificate not appearing in the certlm store? How can I export my generated certificate to use it in the Azure Portal when not using the DnsName attribute.
Are there any recommandable resources to get a better understanding of digital certificates? I am very confused about the whole topic and would like to read something. But especially the microsoft docs are confusing me even more. :(
Let me try to answer your queries.
if you will use -DnsName attribute , it will will add SAN ("subject alternative name") to your certificate. you can check the SAN in the details of your certificate.
SAN is basically used to secure multiple domains using single certificate (https://www.geocerts.com/support/ssl-certificate-subject-alternative-names-sans).
Also please note that these are self signed certificates which cannot be used to secure internet domains, for securing internet domains you need certs which are signed by CA like digicerts etc.
CN stands for COMMON NAME , its basically the fully qualified domain name of your website (https://www.entrustdatacard.com/pages/digital-certificate-glossary).
you need to first export your certificate and then import it. you can use Export-PfxCertificate command to export your certificate on disk and then click it to import it.
Start with the basics
https://securitywing.com/digital-certificate-how-works/
https://www.jscape.com/blog/an-overview-of-how-digital-certificates-work
Related
I developed an Azure Function which is timer triggered. For this I created a self-signed certification :
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "SP Az Func 3"
$pwd =ConvertT-SecureString -String "**************" -Force -AsPlainText
Export-PfxCertificate -cert cert:\localMachine\my\EB7D9E53BA1DF88AEDE1EA8CA3488CD794E0A9E9 -FilePath "c:\SPAzFunc2.pfx" -Password $pwd
Export-Certificate -cert cert:\localMachine\my\EB7D9E53BA1DF88AEDE1EA8CA3488CD794E0A9E9 -FilePath "c:\SPAzFunc2.crt"
Can I use this self-sign certificate to run our azure function on production? If not, then how we can gain/buy .pfx and .crt from authorized resources and provide a password, as we do in the self-signed certificate?
Thanks
A lot of Azure and non-Azure services require the .pfx to have a password, otherwise it might not work or or it might not even allow upload without a password. For example, all of the Azure services where you can upload a pfx, you always need to provide a password. If you don't have one - it will fail.
How to Configure password for .pfx
1.Right-click on the pfx file and choose Install PFX
2.Choose Local Machine and click Next
3.On the next wizard you don't have to change anything so proceed with Next
4.On the Private key protection wizard leave the password empty and check the "Mark this key as exportable". Click Next.
5.On the Certificate Store wizard just leave it as Automatically select the certificate store and click Next. Finish on the last one. You should get "Import Successful".
6.Now we need to export the certificate but this time with a password. We need to browse the machine's certificate store to initialize this.
[Open Run (Windows+R) and type mmc]
7.On the MMC console, go to File -> Add/Remove Snap-in or Ctrl + M. Select Certificates and click Add in the middle. You will be asked My User/Service or Computer account. Choose Computer and click Next.
8.Leave everything default on the next one (Local computer: (the computer this console is running on)) and click Finish.
9.Click OK on the Console Snap-in
10.Now expand the Certificates (Local Computer) then expand Personal and choose Certificates Find the certificate you just imported and right-click it -> All Tasks -> Export...
11.The Export wizard starts. Click Next on the first window >Then choose Yes, export the private key and click Next.
12.On the Export File Format make sure that everything except "Delete the private key if the export is successful" is checked and that this isn't. Click Next.
13.Here you can choose a password for the pfx file. Make sure to check the Password checkbox and type your desired password. Leave the Encryption as TripleDES-SHA1 > Click Next; Choose where to save the new .pfx file by clicking Browse
14.Click Finish and you should get "The export was successful" message.
That's it. You now have an exported copy of the App Service Certificate in a .pfx format and with a password ready to be used anywhere you want.
The youtube video you mentioned already describes HOW you can use a certificate with Azure Functions. For others, the most important part is also documented as "Use a TLS/SSL certificate in your code in Azure App Service".
So your actual question is "Can I use self-signed certificates for AAD application authentication in production?".
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate
For testing, you can use a self-signed public certificate instead of a Certificate Authority (CA)-signed certificate. In this how-to, you'll use Windows PowerShell to create and export a self-signed certificate.
Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.
It is definitely technically possible to use self-signed certificates in production. It might also be fine for your use case. However, it depends on your level of confidence that the solution is sufficient for your use case (business requirements etc.). Nobody is going to give you a blank recommendation except "when in doubt - buy a certificate".
Anything further and especially "how do I buy a client certificate?" does not belong on StackOverflow. Maybe you could ask this question on ServerFault - or rather use the search function there first.
I have a strange problem when importing a certificate from Azure Key vault to be used in an App Service. As you can see in the images below, it says the certificate is imported successfully but it does not show up as expected.
This have previous worked just fine for other app services and my custom domain matches the wildcard certificate that I am trying to use.
Any ideas what causes this strange behavior?
If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:
Exported as a password-protected PFX file, encrypted using triple DES.
Contains private key at least 2048 bits long
Contains all intermediate certificates in the certificate chain
Some certificate authorities provide certificates in different formats, therefore before importing the certificate, make sure that they are either in .pem or .pfx format.
When you are importing the certificate, you need to ensure that the
key is included in the file itself. If you have the private key
separately in a different format, you would need to combine the key
with the certificate.
you can also refer https://www.huuhka.net/app-service-imported-ssl-certificate-from-another-subscription-kv/ if you have any failure messages while importing the key vault certificate
If you are using free managed certificate , you may check its pre-requisites to be fulfilled as free certificates come with few limitations , which can be referred from https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?WT.mc_id=AZ-MVP-5003781#private-certificate-requirements
So, I made a workaround solution by setting an Managed Identity on my App Service giving it correct permissions to the keyvault. And then adding the application and correct permissions in Access policies for the keyvault.
After that the certificate showed up as expected when adding a binding on my App Service.
Seems you got the right solutions and might have encountered this issue due to your logged in user RBAC role.
When ever you use app service certificate it gets stored inside Azure Key vault and to use that key vault certificate/secret you need to have access policies to get the secret and set the secret.
More details at:
https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal#:~:text=Assign%20an%20access%20policy%201%20In%20the%20Azure,the%20Principal%20selection%20pane.%20...%20More%20items...%20
I wanted to ask if I can create App Services managed certificates using powershell command? I tried to find such information, but unfortunately I did not manage to do so, and it would make my job much easier.
Second question - Can I find the certificate without using the thumbprint? After creating the certificate, I would like to assign it to a custom domain with a given name, but I was unable to "search" for the certificate by domain name, just using the exact thumbprint.
Thanks for any info!
There are no direct power shell command let available by you can make a use of ARM template documented here.
coming to second store, thumbprint is the only way to extract certificate either from a given file system or from certificate store.
If you want certificate with domain then you need programming certificate to iterate over each certificate and fetch domain property of X509Certificate class.
I am learning about Azure Key Vault, and one of the scenarios it supports is certificate authentication, which you can read about here.
The samples do a great job of explaining how to make a self-signed certificate for local testing, which I have gotten to work without an issue. My question now is, how do I go about making a certificate for production deployments? Do I purchase this from a service somewhere? If so, what type of certificate do I need, exactly?
Unfortunately, there is no documentation anywhere that I could find in Azure Key Vault that outlines how to make (or what is expected/assumed) in a production-level certificate.
I basically have a few requirements/expectations based on my research/investigation so far:
I would like to use a trusted, external service (CA?) to purchase the certificate from.
The cheaper the certificate the better. :)
I would like to be able to create a certificate with custom data extensions.
In addition to my requirements, I have a specific question in regards to the certificate: What type of certificate do I need? Is this a server authentication certificate? Or a client authentication certificate? Or... ?
I have spent the past hour going through several SSL certificate providers, but none of them really could give me a great answer for the type of certificate I am looking for (when I provided the link to Azure certificate above to them). So, I decided to do what I should have done in the first place, and put my question up here to the esteemed community. :)
Thanks in advance for any assistance.
If you want the cert for SSL you want to get a Server Authentication certificate (it proves that the server, ie your site, is who it claims to be).
You can buy it from any trusted service and upload it to Azure Key Vault. Just google "buy ssl certificate". I think you can get one for as little as $30 if I remember correctly.
You can use Key Vault to enroll for certificate from public CAs such as DigiCert and GlobalSign. Look at the "Enroll programmatically from Public CA" section in https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/
You can use the Key Vault REST API to programmatically enroll for certificates -https://learn.microsoft.com/en-us/rest/api/keyvault/createcertificate
The certificate policy allows for some customization like specifying which KeyUsage and EKUs you want in your certificate.
I'm adding support for JWT tokens in my Web Application, and I have an X509 certificate which it needs for signing those tokens.
I have rejected the idea of using the same certificate we use for HTTPs (see Can I use the Private Key Certificate of Web App to sign JWT?).
I think a self signed certificate should do the trick, in fact I can't see any advantages of a web of trust in this scenario (that doesn't mean there aren't any, I just can't think of any).
The web application runs on a farm of web servers. My current plan is to generate a self signed cert and put the X509 certificate into the certificate store in Windows on each machine. Our IT department are checking, but they think they can roll that out to all the Web Servers in the farm using Group Policy. So this seems like a feasible plan.
The certificate store in windows looks pretty confusing to me. I think there are two options:
1) Put it in "My" store for the user under which the IIS App pool run. There are many app pools, so potentially the certificate will be in many stores.
2) Put it under the LocalMachine store, and then grant explicit access to the specific certificate for the IIS user(s).
3) Something else I can't think of.
Is there a "correct" place for these type of certs, and if so where is it?
The usual CertificateStore for signing certificates is the My store. I normally place them in LocalMachine location, but it is probably safer to put them in the certificate store for the Application Pool identity itself.
I would then give the Application Pool read-only access to this certificate only (right click certificate, then 'All Tasks' > 'Manage Private Keys', then add your Application Pool identity and give 'Read' permissions only.