Azure-cli: Discrepancy in format between certificate created for service principal and az login

Created on 24 Sep 2018  路  7Comments  路  Source: Azure/azure-cli

Describe the bug
The service principal certificate is created in the openssl format and the az login is expecting openssh format!

To Reproduce

  1. To create a certificate and store it in a key vault, issue this command:
    az ad sp create-for-rbac --name "myServPrin" --keyvault myKeyVault --cert myCert --create-cert

  1. Download the certificate in the vault as PEM, and store on server

  2. Try logging in with service principle:
    ` az login --service-principal --username sp-username --tenant mytenant --password /etc/certificates/myCert.pem

You get error

Error:Invalid Certificate: Expected Start of Certificate to be '-----BEGIN RSA PRIVATE KEY-----'

The certificate starts with '-----BEGIN CERTIFICATE-----'
Expected behavior
I expect to be logged in using the service principle into my Azure tenant

Environment summary
I am using the Microsoft Data Science VM image on Ubuntu

Additional information
This issue was first raised for the documentation

Authorization-cli question
Source
picture AronT-TLV

Most helpful comment

You need to download the pfx using:
az keyvault secret download --vault-name $VaultName --name $CertName --encoding base64 --file $CertName.pfx

Then convert it to PEM using:
openssl pkcs12 -in $CertName.pfx -clcerts -nodes -out $CertName.pem

Once you do that, you can login with the PEM certificate.

picture wahidsaleemi on 26 Apr 2019
👍5

All 7 comments

Please note, that after further discussions with Azure support, we have narrowed the scope of the bug. It only happens when you create the certificate and upload it directly to the key vault in the one command (i.e. the--keyvault myKeyVault option). If you just create a certificate without the upload, it creates a local certificate in the proper format (containing both a private key and the certificate).

AronT-TLV picture AronT-TLV on 26 Sep 2018

@AronT-TLV, sorry for the delay in response. For "az login", the pem file must include private key. If you download the certificate from the key-vault, I don't believe the private key will be included.

yugangw-msft picture yugangw-msft on 14 Feb 2019

There are not much we can do, closing

yugangw-msft picture yugangw-msft on 3 Mar 2019

Why is this issue closed? Is there a walk around to what is a clear error in the documentation and implementation.

koroseman picture koroseman on 20 Mar 2019

You need to download the pfx using:
az keyvault secret download --vault-name $VaultName --name $CertName --encoding base64 --file $CertName.pfx

Then convert it to PEM using:
openssl pkcs12 -in $CertName.pfx -clcerts -nodes -out $CertName.pem

Once you do that, you can login with the PEM certificate.

wahidsaleemi picture wahidsaleemi on 26 Apr 2019
👍5

@wahidsaleemi - Thanks - Worked Fine for me.!

ChendrayanV picture ChendrayanV on 24 Aug 2019
👍1

Just a quick note incase anyone gets stuck on this like I did following @wahidsaleemi advice - if you get prompted for a password, just press enter to submit an empty password!

leighghunt picture leighghunt on 4 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

seanknox picture seanknox  路  3Comments
Kannaj picture Kannaj  路  3Comments
derekbekoe picture derekbekoe  路  3Comments
idkjs picture idkjs  路  3Comments
cicorias picture cicorias  路  3Comments