Pnp-powershell: Connect-pnponline with thumbprint asks for Certificate

Created on 11 Dec 2019  Â·  18Comments  Â·  Source: pnp/PnP-PowerShell

Reporting an Issue or Missing Feature

When trying to login with Powershell using ClientID, TenantID and Thumbprint I'm being asked for Certificate.

Expected behavior

I expect it to log me in.

Actual behavior

Please describe what you see instead. Please provide samples of HTML output or screenshots

$AppId = "afzzzzz-zzzz-zzzz-81bd-6e98d15d689f"
$Tenant = "tenantname.onmicrosoft.com"
$Thumbprint = "3D44455C072E4125785AB4F836AFB12FA77DB210"
$url = "https://tenantname.sharepoint.com/sites/test"

Connect-pnponline -url:$url -ClientId $AppId -Tenant:$Tenant -Thumbprint:$Thumbprint

The error message I receive is

Connect-pnponline : Value cannot be null.
Parameter name: certificate

Steps to reproduce behavior

See above.

Which version of the PnP-PowerShell Cmdlets are you using?

  • [ ] PnP PowerShell for SharePoint 2013
  • [ ] PnP PowerShell for SharePoint 2016
  • [X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

(you can retrieve this by executing Get-Module -Name *pnppowershell* -ListAvailable)
SharePointPnPPowerShellOnline 3.16.1912.0

How did you install the PnP-PowerShell Cmdlets?

  • [ ] MSI Installed downloaded from GitHub
  • [X] Installed through the PowerShell Gallery with Install-Module
  • [ ] Other means
Needs

Most helpful comment

@paylord I had a similar problem. I use the certificate in a Azure DevOps Pipeline with a PowerShell script and Connect-PnPOnline. I received the same error message with Thumbprint.
I get the certificate, stored in Key Vault, via a DevOps Library as a string value.

With this code I save the certificate in a temporary file and use it with the Connect-PnPOnline.

$kvSecretBytes = [System.Convert]::FromBase64String($Certificate)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Write-Host "##[debug] Certificate Expiry Date:" $cert.NotAfter
Write-Host "##[debug] Certificate Thumbprint:" $cert.Thumbprint

$tmp = New-TemporaryFile
Write-Host "##[debug] tmp file:" $tmp.FullName

$certificateBytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12)
[System.IO.File]::WriteAllBytes($tmp.FullName, $certificateBytes)

Connect-PnPOnline -Tenant $Tenant -Url $url -ClientId $ClientId -CertificatePath $tmp.FullName

It works very well. I hope it might help you, too.

All 18 comments

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

I have this same issue. I want to be able to run PnP in a PowerShell Azure Function app using app-only to connect to SharePoint online - ideally also using the Key Vault. I have registered an app and added my certificate which gives me a Thumbprint. The preference will be to add this Thumbprint to AKV and then use that to Connect-PnPOnline to my SP Admin and then provision new sites.

I have also added the PFX as as certificate in AKV and can get it into the Azure Function but currently cannot see any way to use it as the $cert.Import() will obviously not work and there does not currently seem to be any way to Connect-PnPOnline with a certificate from AKV.

It looks like there may be a new option coming to allow -CertificateBase64Encoded but is there any workaround to achieve the above until either Thumbprint or a direct certificate is working?

@paylord I had a similar problem. I use the certificate in a Azure DevOps Pipeline with a PowerShell script and Connect-PnPOnline. I received the same error message with Thumbprint.
I get the certificate, stored in Key Vault, via a DevOps Library as a string value.

With this code I save the certificate in a temporary file and use it with the Connect-PnPOnline.

$kvSecretBytes = [System.Convert]::FromBase64String($Certificate)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Write-Host "##[debug] Certificate Expiry Date:" $cert.NotAfter
Write-Host "##[debug] Certificate Thumbprint:" $cert.Thumbprint

$tmp = New-TemporaryFile
Write-Host "##[debug] tmp file:" $tmp.FullName

$certificateBytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12)
[System.IO.File]::WriteAllBytes($tmp.FullName, $certificateBytes)

Connect-PnPOnline -Tenant $Tenant -Url $url -ClientId $ClientId -CertificatePath $tmp.FullName

It works very well. I hope it might help you, too.

@MarkusLanger - awesome thanks - will give that a try but hoping there is a better option soon :)

I have been connecting using a Certificate like what is show above for a long while now. However, the documentation states that you should be able to connect like below:

Connect-pnponline -url:$url -ClientId $AppId -Tenant:$Tenant -Thumbprint:$Thumbprint

So is the documentation wrong, or is this a bug?

Usually if you miss a parameter then it will prompt for it so I am guessing the error saying missing certificate parameter is a bug - hoping so anyway!

Hi @pmatthews05, I believe you will see this error if the certificate with that thumbprint is not accessible in your certificate store. You could check your Local Machine store with something like this:

Get-ChildItem -Path cert:\LocalMachine\my

And see if you see your thumbprint listed.

@fastlaneb pretty sure both the scenarios above are in virtual environments where there is no option to actually load a certificate to the store

@paylord What exactly do you mean by virtual environments? As in virtual machines? Or virtual functions somewhere? If it's a virtual machine you should still have access to the local machine's store. I think they point is you need access to the actual certificate to make this work, not just the thumbprint.

@fastlaneb in my case I am running in an Azure Function app. The certificate has been added to an Azure app registration which then gives me the thumbprint.

@fastlaneb & @paylord I was running my code within a azure dev pipeline, so yes a virtual environment.

If the call still requires access to a certificate, then this needs to be updated in the documentation.

@paylord I had a similar problem. I use the certificate in a Azure DevOps Pipeline with a PowerShell script and Connect-PnPOnline. I received the same error message with Thumbprint.
I get the certificate, stored in Key Vault, via a DevOps Library as a string value.

With this code I save the certificate in a temporary file and use it with the Connect-PnPOnline.

$kvSecretBytes = [System.Convert]::FromBase64String($Certificate)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Write-Host "##[debug] Certificate Expiry Date:" $cert.NotAfter
Write-Host "##[debug] Certificate Thumbprint:" $cert.Thumbprint

$tmp = New-TemporaryFile
Write-Host "##[debug] tmp file:" $tmp.FullName

$certificateBytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12)
[System.IO.File]::WriteAllBytes($tmp.FullName, $certificateBytes)

Connect-PnPOnline -Tenant $Tenant -Url $url -ClientId $ClientId -CertificatePath $tmp.FullName

It works very well. I hope it might help you, too.

While this work, you should really consider the security implications of storing a certificate in temp folder. This is not really any safer than having the cert stored under SSL upload -arguably worse. I guess you could load it on the fly and authenticate with PEMCertificate, PEMPrivateKey, tenant and clientid instead of storing them as tmp files. That or clean up the certificate after use could work too I guess. That way you could store both as secrets in KeyVault instead of a certificate?

The release notes indicate there may have been a recent change:

Added option to use Connect-PnPOnline with a base64 encoded private key for use in i.e. PnP PowerShell within an Azure Function v1 and an option to provide a certificate reference for use in i.e. Azure Function v2

@AndersRask - I managed to use Get-PnPAzureCertficate, added the Certificate and the Private Key to the Key Vault and that worked perfectly from a v1 Azure Function. Certainly feels much cleaner than storing the cert with the function. Thanks for the suggestion :)

I had same issues with a New-PnPAzureCertificate but it works if i use a New-SelfSignedCertificate

Create a self sign certificate and export it
$todaydt = Get-Date $3years = $todaydt.AddYears(3) $CertPassword = ConvertTo-SecureString -String “C3rt@pp” -Force –AsPlainText $cert = New-SelfSignedCertificate -dnsname xxxxxx.onmicrosoft.com -notafter $3years -CertStoreLocation cert:\LocalMachine\My ########export pfx for a connexion with certificatePath Export-PfxCertificate -Cert cert:\LocalMachine\My\xxx -FilePath C:\temp\test.pfx -Password $CertPassword ########export .cer to upload in app azure certificate Export-Certificate -Cert cert:\LocalMachine\My\xxx -FilePath C:\temp\test.cer

@bender86 - yep, but you are loading the cert locally. This is not an option when using a service such as Azure Functions.

@paylord I created certificate locally but after i added it to my azure app and use -thumbprint in my connect-pnponline.
For this i use this great documentation: https://github.com/SharePoint/PnP-PowerShell/tree/master/Samples/SharePoint.ConnectUsingAppPermissions

@bender86 I am not an expert in this so could be wrong but I believe what is happening is a matching between the certificate you have imported locally and the one added to the Azure Registered App. When using Azure Function Apps or similar, it is not possible to import the cert locally so Thumbprint does not work. I can add a copy of the cert to the Function App and use -PathToCertificate but the better option feel like adding the PEM values to the Key Vault and using those to connect as suggested by @AndersRask

@bender86 I used both New-PnPAzureCertificate and New-SelfSignedCertificate but still, I have same error

Connect-PnPOnline : Value cannot be null.
Parameter name: certificate

++ @PaoloPia
I am following this https://www.youtube.com/watch?v=seXAaVEE4kY video of yours

Was this page helpful?
0 / 5 - 0 ratings

Related issues

chriswharton22 picture chriswharton22  Â·  23Comments

NerijusV picture NerijusV  Â·  54Comments

robbert-vanandel picture robbert-vanandel  Â·  29Comments

heinrich-ulbricht picture heinrich-ulbricht  Â·  14Comments

vipulkelkar picture vipulkelkar  Â·  35Comments