I'm using the following npm to try and create a cloud service using NodeJS.
https://www.npmjs.com/package/azure-mgmt-compute
This is the code i'm using:
var file = __dirname + '/azure-cert.pem';
var computeManagementClient = computeManagement.createComputeManagementClient(computeManagement.createCertificateCloudCredentials({
subscriptionId: userCredentials.subscriptionId,
pem: fs.readFileSync(file, 'utf-8')
}));
I'm getting the error: "The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription".
Status code 403.
I've done what's written here:
https://msdn.microsoft.com/en-us/library/azure/gg551722.aspx
And converted to PEM using OpenSSL.
I also tried the following:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout azure-cert.pem -out azure-cert.pem
pkcs12 -export -out azure-cert.pfx -in azure-cert.pem -name "My Self Signed Cert"
openssl x509 -outform der -in azure-cert.pem -out azure-cert.cer
Everything fails.
Any ideas?
I tried to follow the section "How to Use -> Authentication " of the page https://www.npmjs.com/package/azure-mgmt-compute to get the .pem file via Azure Xplat-CLI and run the sample code. It works fine.
Firstly you need to install the Azure Xplat-CLI via command npm install -g azure-cli, please refer to https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/.
Secordly you need to connect to your Azure subscription via command azure login -u <username>, please refer to https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-connect/.
Then you can command azure account cert export to get the .pem file. The code works with the subscription id & pem file.
Best Regards!
Related
I have created a pfx file using openssl commands as below
opensl genrsa -out private_key.pem 4096
openssl req -new -x509 -key private_key.pem -out public_key.cer -days 100 -sha512 -sub "/CN=self-signed"
openssl pkcs12 -export -out samplepkcs12.pfx -inkey private_key.pem -in public_key.cer
Then I have imported my pfx file to my Azure Key vault.
Now in my azure function, I need to download this certificate and create a client certificate.
I am tried below code
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
KeyVaultSecret certificateSecret = client.getSecret(<certificateName>);
IClientCertificate clientCertificate =
ClientCredentialFactory.createFromCertificate(
new ByteArrayInputStream(certificateSecret.getBytes()),"<password>");
But I am getting below exception
java.IO.Exception to DerInputStream rejects type 77
at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:873)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCSKeyStore.java:1994)
Any suggestion on the right way of uploading(if my approach is wrong) or retreiving certificate and creating a clientCertificate ?
You are using the Secret library. Instead you should use the Certificate library described here:
https://azuresdkdocs.blob.core.windows.net/$web/java/azure-security-keyvault-certificates/4.3.2/index.html
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
KeyVaultCertificate certificate = certificateClient.getCertificate("<certificate-name>");
I have an Azure function app. It works well with HTTP locally. Also it works well on production. I am trying to run it with HTTPS locally. I created a certificate but it's still showing a certificate error on the browser. I tried to add my certificate to KeyChain Access as well but the result is the same.
How can I run my function with an SSL certificate locally?
I'am trying to access my service from my mobile app but android is not allowing me to call a HTTP endpoint.
Thanks.
The command line arguments need to be set correctly, and then the Azure Functions can be started in Visual Studio with HTTPS and take advantage of the break point debugging without having to attach the func process in Visual Studio.
Install the tools for local Azure Function development:
Microsoft Azure Storage Explorer
Microsoft Azure Storage Emulator
Install the Azure Functions Core Tools
Or
npm install -g azure-functions-core-tools
Install the Azure Functions Visual Studio Extensions
Azure Functions and Web Jobs Tools need to be installed as an extension in Visual Studio.
Configure the Azure Functions project to use HTTPS
Create a certificate and add this to the operating system.
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -``in server.pass.key -out server.key
openssl req -``new -key server.key -out server.csr
openssl x509 -req -sha256 -days 365 -``in server.csr -signkey server.key -out server.crt
or
New-SelfSignedCertificate -DnsName "server.com"``, "server.com" -CertStoreLocation "cert:\LocalMachine\My"
Get the thumbprint for later use
$mypwd = ConvertTo-SecureString -String "1111" -Force -AsPlainText
Get-ChildItem -Path cert:\localMachine\my\``"thumbprint from above" | Export-PfxCertificate -FilePath C:\server.pfx -Password $mypwd
Copy the pfx file to the Function project and then configure the properties to copy this to the output.
Configure the command line arguments for Debug.
The application arguments starts with host in Visual Studio and not func! This would be func in the command line.
Or just set this in the launchSettings.json
{
"profiles"``: {
"FunctionApp1": {
"commandName":` "Project",
"commandLineArgs": "host start --useHttps --cert \"server.pfx\" --password \"1111\""
}
}
}
When you start the Azure Function project with Visual Studio, the HTTPS URL will be used. This can be checked in the command line window which opens up after starting. Break point debugging is now possible as we started from Visual Studio.
If you start this from the console using the func start –useHttps –cert “server.pfx” –password “1111”, you need to attach the func process for break point debugging for using Visual Studio.
Main goal
I am trying to find a way to add licenses to a user using ubuntu linux; either by powershell or any other programmable method. My last resort is to use selenium with python.
Actual problem
I am trying to use Connect-MgGraph cmdlet with a certificate for unattended scripts. The information on this is here: https://learn.microsoft.com/en-us/graph/powershell/app-only?tabs=azure-portal
I already have app registered with exchange and admin access. I also already have a cert. I used it before when connecting to exchange online powershell.
When I try to run: Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateName $Certificate
It Gives me an error: certificate was not found or has expired.
Here us what I tried:
I first tried using the certpath as a variable and then passing that - failed
$CertificateFilePath = "/home/tech/scripts/powershell_scripts/exchangecert/msexchange.pfx"
##other stuff
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateName $CertificateFilePath
### FAILED RESULT
Connect-MgGraph: /home/tech/scripts/powershell_scripts/exchangecert/msexchange.cer certificate was not found or has expired.
I tried using this bit of commands that I found from here:https://github.com/Azure/azure-powershell/issues/8675
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("/home/tech/scripts/powershell_scripts/exchangecert/msexchange.cer","apassword",$Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
### FAILED RESULT
Connect-MgGraph: [Subject]
CN=adomain.com
[Issuer]
CN=adomain.com
[Serial Number]
aserialnumber
[Not Before]
5/30/2021 2:51:16 PM
[Not After]
5/30/2022 3:01:17 PM
[Thumbprint]
athumbprint
certificate was not found or has expired.
Everything I have tried so far is failing. I know this would work on windows but I would really like to authenticate unattended on ubuntu.
Thanks everyone.
-CertificateName should be the subject name of the cert, not the path to the cert. But, you should probably try using the thumbprint instead. I think you're missing some more code for installing the cert. Try something like this, substituting your details in the beginning to generate the correct PFX. (i.e. Make sure key.pem and cert.pem exist in /etc/ssl/private/)
$CertPath = '/etc/ssl/private/'
$CertKey = $CertPath + 'key.pem'
$CertPublic = $CertPath + 'cert.pem'
$CertMerge = $CertPath + 'merged.pfx'
$CertPass = 'somepassword'
$CertExpire = 365
$CertName = 'somecertname')
# Generate new certificate and convert it to pfx format
openssl req -newkey rsa:2048 -new -nodes -x509 -days $CertExpire -keyout $CertKey -out $CertPublic -subj "/C=LV/ST=Some-State/L=LV/O=$CertName/OU=IT"
openssl pkcs12 -in $CertPublic -inkey $CertKey -export -out $CertMerge -passout pass:$CertPass
At this point, you should check to make sure merged.pfx got created. Then continue:
# Store certificate in certificate store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
# Get cert thumbprint
$CertValue = [Convert]::ToBase64String($Certificate.GetRawCertData())
$Thumbprint = $Certificate.Thumbprint
Then use $Thumbprint to log in:
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateThumbprint "YOUR_CERT_THUMBPRINT"
brief description what I've done and what I would like to achieve:
I was trying to add certificate to azure key vault via UI:
Got those certificates as ca.crt (openssl req -new -x509 -days 1826 -key ca.key -out ca.crt) and ca.key (openssl genrsa -des3 -out ca.key 2048) but azure key vault requires certificates in .pem or .pfx format
I decided to move cert and key into pem format: key: openssl rsa -in ca.key -text > ca_key.pem
cert: openssl x509 -in ca.crt -out ca.pem then copied ca_key.pem inside ca.pem
I was trying with only cert + key and key extra data (binaries or sth)
I was getting error from UI: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
I decided to install azure CLI and pass those in pfx format: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt and that works properly I'm able to see created cert in key vault cerfiticates
and there problem begins. I would like to get certificate with azure node library, extract separate key and cert to use them. What I've achieved so far:
const secretClient = new SecretClient(keyVaultUrl, credential);
const certificateSecret = await secretClient.getSecret(certificateName);
const PKCS12Certificate = certificateSecret.value!;
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);
I got file and as documentation says:
https://www.npmjs.com/package/#azure/keyvault-certificates#getting-the-full-information-of-a-certificate
I was trying to execute:
openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys
to extract ca certificate from p12 but I'm still getting error:
34359836736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
34359836736:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS12
any ideas what I'm doing wrong ?
I'm very sorry for my language but I'm not speak english.
I'm trying to implement in my app SSL but I have only valud p7b created by csr file. I'm using expressjs and node js on linux server. I know how to implement PEM certificate
var options = {
key: fs.readFileSync('./private.pem'),
cert: fs.readFileSync('./' + config.ssl[config.mode].cert)
};
server = https.createServer(options, app).listen(3000);
but I don't know how implement p7b certificate, kindly help me
First you have to conver your p7b to pem format:
openssl pkcs7 -in public.p7b -inform DER -out public.pem -print_certs
Create a pkcs12 file contiaing your private key and the public certificate:
openssl pkcs12 -export -inkey private.key -in public.pem -name my_name -out result.pfx
To use the pfx file with node js use
const cert = fs.readFileSync("result.pfx");
const request = require('request').defaults({
agentOptions: {
pfx: cert,
passphrase: password
}
});