I followed these instructions to upload a server cert issued by Thawte: http://msdn.microsoft.com/en-us/library/windowsazure/gg465712.aspx
So, I've got a PFX file and the cert complies with the requirements, that is:
- Contain a private key (well it's a PFX...).
- Purpose is Server Authentication.
- Subject name match the domain name that is used to access the service.
- Key size of 2048-bits.
For some reason when I upload it, it returns an error stating: "Can't upload certificate. Please try again. If the problem persists, contact support".
NB:
- I can import that pfx to one of my local Windows machine with no problems.
- I've generated the CSR using certreq (can't see any problem with that)
- I included all certificates in the certificate path when I exported the PFX
If anyone can advise on how to resolve this issue it would be much appreciated.
Thanks in advance.
Sorted, I had to reduce the complexity of the password used for my private key (for reasons only god and Microsoft know)... Uploaded the PFX and no issues...
Related
I use the below script to import a certificate in a pipeline build process,
Powershell script:
param($PfxFilePath, $Password)
$absolutePfxFilePath = Resolve-Path -Path $PfxFilePath
Write-Output "Importing store certificate '$absolutePfxFilePath'..."
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($absolutePfxFilePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::"ReadWrite")
$store.Add($cert)
$store.Close()
Get below error:
. 'C:\JobAppAgent_work\1\s\JobApp\DevOps\Build\Import-PfxCertificate.ps1' -PfxFilePath $env:DOWNLOADSECUREFILE1_SECUREFILEPATH -Password ****
Importing store certificate 'C:\JobAppAgent_work_temp\DD.Job.Desktop_TemporaryKey.pfx'...
##[error]Exception calling "Import" with "3" argument(s): "The specified network password is not correct.
This script was running fine when build was running on Azrure PipeLines. Now I create a private Agent pool that runs on a Window 10 VM.
Make sure that the certificate is valid and has not expired. You can check the expiration date of the certificate by double-clicking on it and viewing the details.
Check that the certificate is properly installed on the machine where the build is being performed. If the certificate is not installed, it will not be available for use in the build process.
Make sure that the certificate is correctly referenced in the build pipeline. This may involve specifying the path to the certificate file or the thumbprint of the certificate.
If you are using a self-signed certificate, make sure that it is trusted by the machine where the build is being performed. To do this, you will need to install the certificate in the trusted root certification authorities store on the machine.
If you are using a certificate from a certificate authority (CA), make sure that the CA is trusted by the machine where the build is being performed. This may involve installing the root certificate of the CA on the machine.
This is a PowerShell script that imports a certificate from a file with a given password into the "MY" store in the current user's certificate store. The certificate is imported using the Import method of the X509Certificate2 class, which takes as input the path to the certificate file, the password, and a set of key storage flags. The script then creates an X509Store object representing the "MY" store in the current user's certificate store, opens the store in read-write mode, adds the imported certificate to the store, and closes the store.
This script assumes that the certificate file is in the Personal Information Exchange (PFX) format, which is a common format for storing certificates and their private keys. PFX files are often used to export or import certificates, and they can be password-protected for added security.
Verify that the password you are using to import the certificate is correct. It's possible that the password has been changed or entered incorrectly.
Check that the certificate file has not been damaged or modified in any way. If the file has been altered, it may be causing the import to fail.
Make sure that the certificate file is accessible to the machine where the script is being run. If the file is on a network share or another machine, check that the machine has the necessary permissions to read the file.
If the certificate file is password-protected, make sure that the password has not expired or been revoked.
Try running the script with different key storage flags to see if that has any effect on the error. For example, you could try using "Exportable" instead of "PersistKeySet" as the key storage flag.
I want to connect to get Key Vault secrets using Azure AD client certificate
The example
https://github.com/Azure-Samples/key-vault-java-certificate-authentication
is not working for me.
Scenario steps:
1.Registered application in Azure AD, Added API/Permission name - Azure Key Vault
Selected user_impersonation. Have full access to Key Vault Service
2.Created certificate - pfx file
Java code from example - specifying client id (registered application client id), pfx file password, pfx file location, key vault url
Question: How does Azure know about the certificate? Never worked with pfx file. Do I need to upload certificate (it says public key .cer/pem/crt)
Can I ask what step I'm missing, as I think authentication is not happening?
java.lang.ClassCastException: class java.lang.String cannot be cast to
class java.util.List (java.lang.String and java.util.List are in
module java.base of loader 'bootstrap') at
com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils.getFirstValue(MultivaluedMapUtils.java:70)
at
com.nimbusds.oauth2.sdk.auth.JWTAuthentication.ensureClientAssertionType(JWTAuthentication.java:246)
Correction:
My application is not in the Azure VM. It is on-premise
Java Code:
I updated the github example code with the below, but the error is same on acquireAccessToken call
AzureAdTokenCredentials credentials = new AzureAdTokenCredentials(
tenant,
AsymmetricKeyCredential.create(clientId, privateKey, certificateKey.getCertificate()),
AzureEnvironments.AZURE_CLOUD_ENVIRONMENT);
TokenProvider provider = new AzureAdTokenProvider(credentials, executorService);
String newToken = provider.acquireAccessToken().getAccessToken();
java.lang.ClassCastException: class java.lang.String cannot be cast to
class java.util.List (java.lang.String and java.util.List are in
module java.base of loader 'bootstrap') at
com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils.getFirstValue(MultivaluedMapUtils.java:70)
at
com.nimbusds.oauth2.sdk.auth.JWTAuthentication.ensureClientAssertionType(JWTAuthentication.java:246)
at
com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT.parse(PrivateKeyJWT.java:277)
at
com.microsoft.aad.adal4j.AuthenticationContext.createClientAuthFromClientAssertion(AuthenticationContext.java:903)
More Updates:
I see the above error in https://github.com/microsoft/azure-spring-boot/issues/457
and so updated a few of my dependencies and crossed that bridge.
New Error:
So I see it is unauthorized? and so too many follow up requests.
How I can fix this? Should I use Handling Authentication in Okhttp ? Is this only a cap to avoid error, or guarantee authentication
Regarding the issue, please refer to the following steps
Convert pfx to cer with openssl
openssl pkcs12 -in <> -out <> -nodes
Upload the cert to Azure AD application
Configure access policy for the application in Azure key vault
run the sample.
Damn it. I thought AzureAdTokenCredentials will help. Instead that had a side effect.
I rolled back my code update after seeing the error in postman
"message": "AKV10022: Invalid audience. Expected
https://vault.azure.net, found: https://rest.media.azure.net."
AsymmetricKeyCredential asymmetricKeyCredential = AsymmetricKeyCredential.create(clientId,
privateKey, certificateKey.getCertificate());
AuthenticationResult result = context.acquireToken(resource,
asymmetricKeyCredential, null).get();
String newToken = result.getAccessToken();
So this code is surely setting scope, which can be seen in the token
"aud": "https://vault.azure.net",
I followed the article - https://goodworkaround.com/2020/07/07/authenticating-to-azure-ad-as-an-application-using-certificate-based-client-credential-grant/
If anyone is not comfortable with openssl commands etc, then create/generate certificate in Key vault, Download cer / crt from there itself and import to Azure AD registeredApp
at the moment I´m working in azure with azure automation and automation account. For executing a runbook I want to authenticate me with a service principal + certificate.
Unfortunately I get the error message "The private key is not present in the X.509 certificate".
I will use:
Add-AzureRmAccount -ServicePrincipal -Tenant xxx -ApplicationId xxx -CertificateThumbprint xxx
But with Login-AzureRmAccount and Connect-AzureRmAccount I get the same error message.
What have I done so far?
Since I´m working in a big company I can´t use a self-signed certificate. Our team have created a .cer-File and .key (Private Key) file for me. After some testing I find out that I need something like this:
Example
Furthermore, I know that I can get this with an .pfx file but this is not accepted from the other team, which will import the certificate to my service principal since they only accept .cer files.
How can I get a .cer file with an public key included?
Thanks a lot!
Your certificate needs to include the private key if you want to sign in with it, which from the error message appears missing. A certificate with the private key included should have a file name of ~.pfx. For reference, check the MS doco here: "Clients which sign in with the service principal also need access to the certificate's private key"
I have installed SSL successful in my azure server but it's not binding with domain. I am getting following error message.
It is not clear on what certificate you are using. To use a certificate in App Service, the certificate must meet all the following requirements:
Signed by a trusted certificate authority
Exported as a password-protected PFX file
Contains private key at least 2048 bits long
Contains all intermediate certificates in the certificate chain
As highlighted by Snobu you may regenerate the certificate (for Self-Signed) with: extendedKeyUsage = critical,codeSigning,1.3.6.1.5.5.7.3.1 in the x509_extensions in the file. Refer this document for the step-step instructions on uploading a certificate.
I am trying to setup a website (local testing atm), to connect to azure rest api to see our settings. I created a cert locally (W7 machine):
makecert -sky exchange -r -n "CN=azureConnectionNew" -pe -a sha1 -len 2048 -ss My "azureConnectionNew.cer"
I can see the cert in the certs MMC snap in. (do not have a right click edit permissions option when I view the cert in here).
I have a class library that setups up the connection, the cert is passed in by getting the cert (via the thumb string), this works great for the console app, but when I try and do this in a web app it all goes wrong. I get 403 errors.
I first thought that this was due to the fact that the website is running as the ApplicationPoolIdentity so doesn't have access to the cert. So I tried passing in the cert (to the same code as the console app), by loading the actual file:
var path = #"C:\temp\azureconnection\azureConnectionNew.cer";
var cert = new X509Certificate2();
cert.Import(path);
I still get 403 errors.
I tried exporting the cer file from MMC certificates snap in as a pfx file, (with private keys included). I set the local IIS set to use this cert and navigated to the https version of my local site but still got 403.
I am not sure how to include / setup / reference the cert so that IIS can send a HttpWebRequest from the server side to Azure and get a valid response.
It is always better to use Thumbprint of the certificate to get the certificate. Please make sure you have created the certificate correctly. Also please check you have placed the certificate in Personal certificate section in Local Machine. You can check this using MMC snap in. please try below code..
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
var certificate = store.Certificates
.Cast<X509Certificate2>()
.SingleOrDefault(c => string.Equals(c.Thumbprint, “CertificateThumbprint”, StringComparison.OrdinalIgnoreCase)); // please replace CertificateThumbprint with original Thumbprint
This isn't the right way to use the certificate - it needs to be stored in the personal/certificates store of the user running the code (you should update the App Pool identity to be a user who can login and into whose certificates you import the cert. Here's sample code showing you how to use the service API: http://code.msdn.microsoft.com/windowsazure/CSAzureManagementAPI-609fc31a/