Certificate-based Authentication Prerequisites and Setting Up

IT Asset Management (Cloud)

Certificate-based authentication enables you to use managed identities for Microsoft Azure resources as a secure way for authentication. Managed identities for Azure resources provide Microsoft Azure services with an automatically managed identity in Azure Active Directory. This identity can be used to authenticate to any service that supports Microsoft Azure Active Directory authentication, without having credentials in the code.

For more information on certificate-based authentication, see Overview of Microsoft Entra certificate-based authentication in the Microsoft Entra Online Help.

Prior to configuring the Microsoft Azure adapter to use certificate-based authentication, you first need to create a self-signed certificate, import the certificate, and then upload the certificate to the Microsoft Azure Portal. Follow the below steps to complete this process.

For steps on how to configure the Azure adapter to use certificate-based authentication, see Managing Azure Connections in the Online Help.

Creating a self-signed certificate

To create a new certificate, run the below script. Each time the script is executed, a new certificate will be created in your local computer certificate store. If you need to rerun the script, it is recommended to delete the previous certificates from the local computer certificate store (see Deleting the certificate from the certificate store).

The below script creates a self-signed certificate which is stored under the path cert:\LocalMachine\My. It also exports .cer and .pfx files under a given file path.

  • The .pfx file is used to install the certificate on other machines, this is a password-protected file and the password is clientId which is used while creating the certificate.
  • The .cer file is used to upload the certificate to the Azure portal for your application.
Note: The below script creates a self-signed certificate and applies it to the current machine from where the script is being executed. There is no requirement to import the certificate using a .pfx file on the machine where the certificate was generated.

Script to create a self-signed certificate:

function Create-AzureSelfSignedCertificate
{
    param (
	[Parameter(Mandatory = $true)]
	[string]$tenantId,
	[Parameter(Mandatory = $true)]
	[string]$clientId,
	[Parameter(Mandatory = $true)]
	[string]$filePath
    )
    $StoreLocation = 'LocalMachine' 
    $expirationYears = 1
    $SubjectName = $tenantId + '.' + $clientId
    $cert_password = $clientId
    $pfxFileName = $SubjectName + '.pfx'
    $cerFileName = $SubjectName + '.cer'
    $PfxFilePath = $filePath + $pfxFileName
    $CerFilePath = $filePath + $cerFileName
    $CertBeginDate = Get-Date
    $CertExpiryDate = $CertBeginDate.AddYears($expirationYears)
    $SecStringPw = ConvertTo-SecureString -String $cert_password -Force -AsPlainText 
    $Cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "cert:\$StoreLocation\My" -NotBefore $CertBeginDate -NotAfter $CertExpiryDate -KeySpec Signature
    Export-PfxCertificate -cert $Cert -FilePath $PFXFilePath -Password $SecStringPw 
    Export-Certificate -cert $Cert -FilePath $CerFilePath 
}

#Example
Create-AzureSelfSignedCertificate -tenantId "91034d23-0b63-4943-b138-367d4dfac252" -clientId "a49b1e97-a1ad-4d8c-896a-dadd4ac8f1da" -filePath "c:\temp\cert\"

Importing the certificate using .pfx file

  1. Open the local computer certificate store using the certlm.msc command (run as administrator).
  2. In the left pane, click Personal and under the Action menu click All Tasks followed by Import.
  3. On the Welcome page of the Certificate Import Wizard, click Next. On the next page, browse for and select the relevant .pfx file and click Next.
  4. On the Private key protection page, enter the password for the private key. Select the Include all extended properties checkbox and click Next.
  5. On the Certificate Store page, select the Place all certificates in the following store radio button, then browse for and select Personal for the certificate store. Click Next.
  6. On completion of the Certificate Import Wizard, review the following specified settings and click Finish.

Uploading a certificate to the Azure portal

  1. Log into your Azure Directory portal (portal.azure.com). From the left menu, click App Services and then click the name of your application.
  2. From your application's navigation menu, click Certificates > Public key certificates (.cer) > Add certificate.
  3. In the Add public key certificate dialog, select your .cer file and then enter a certificate name for your application. Once the certificate is uploaded, you can view the certificate thumbprint from the Certificates tab.

Deleting the certificate from the certificate store

Run the following commands to delete a certificate from the cert store:

  • Get-ChildItem cmdlet - lists all certificates in the certificate store.
    Example:
    Get-ChildItem -Path Cert:\LocalMachine\My
  • Remove-Item cmdlet - removes a certificate when specified with the thumbprint and certificate store path.
    Example:
    $thumbprint = "b6b7dd0c0dd60505c70e95627b68775fa98005fc"
Remove-Item -Path "Cert:\LocalMachine\My\$thumbprint"

IT Asset Management (Cloud)

Current