在Azure门户中,我可以在AAD下创建一个应用程序,导航到“Home (myTenant) -> 应用程序注册 -> (myApp) -> 设置 -> 密钥”,上传作为应用程序密钥证书的公钥。使用门户 UI 很容易。但是如何使用 Powershell 命令上传证书?
谢谢,
您正在寻找命令 New-AzureRmADAppCredential https://learn.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermadappcredential?view=azurermps-5.0.0
文章中的示例 2 应该适合您
----------------8<--------------------
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import("C:\myapp.cer")
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-AzureRmADAppCredential -ApplicationId 4589cd6b-3d79-4bb4-93b8-a0b99f3bfc58 -CertValue $credValue -StartDate $cer.GetEffectiveDateString() -EndDate $cer.GetExpirationDateString()
2023更新
对于现在阅读的任何人来说,当 Powershell 中的推荐方法是在 Azure AD 模块上使用 Microsoft Graph 模块时,相关命令是 Update-MgApplication 以及用于新证书的
-KeyCredentials
参数或 Add-MgApplicationKey 更新现有证书。 (是的,语言令人困惑。更新应用程序以添加密钥。添加密钥以更新密钥。在这种情况下,“密钥”实际上意味着“用于验证私钥的公共证书”。)
以下是从 keyvault 中提取证书并将其添加到已注册的 AAD 应用程序的函数示例:
function Set-AppCredential
{
Param(
[Parameter(Mandatory)]
[string]$AppName,
[Parameter(Mandatory)]
[string]$KeyVaultName,
[Parameter(Mandatory)]
[string]$CertificateName
)
$Application = Get-MgApplication -Filter "DisplayName eq '$($AppName)'"
$KeyVaultCertificate = Get-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $CertificateName
$CertCredential = @{
Type = "AsymmetricX509Cert"
Usage = "Verify"
Key = $KeyVaultCertificate.Certificate.RawData
}
Update-MgApplication -ApplicationId $Application.Id -KeyCredentials @($CertCredential)
}
您可以使用 New-AzureRmADAppCredential 向现有 Azure AD 应用程序添加凭据。
Login-AzureRmAccount
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE")
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
New-AzureRmADAppCredential -ApplicationId d3fdf244-xxxx-xxxx-8faa-4a22b9739374 -CertValue $key
基于 sam256 的答案,这是我使用 PowerShell v7 并从当前计算机上安装的证书读取证书的版本。我很想知道是否有一种方法可以用更少的步骤来做到这一点,但这就是我设法做到的。
基本步骤是:
此步骤需要用于保护证书文件的密码。但 Azure AD 将拒绝受密码保护的证书。我无法在 PowerShell 中找到无需密码即可导出证书的方法,即使在不导出私钥时可以使用证书 UI。
使用
openssl
命令行实用程序提取 pem 格式的证书,无需密码。
将 PEM 格式的证书上传到 Azure AD
这是我使用的代码:
Write-Host "Finding the right certficate to export"
$serviceCertificates = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq "CN=$certificateName" }
$latestServiceCertificate = $serviceCertificates | Sort-Object NotAfter -desc | Select-Object -First 1
Write-Host "Exporting latest certificate with thumbprint $($latestServiceCertificate.Thumbprint)"
$plaintextPassword = "..." #TODO: Add your own plaintext password here. It is just used temporarily so you don't need to store it anywhere.
$securePassword = ConvertTo-SecureString -String $plaintextPassword -Force -AsPlainText
$serviceCertificateFilePath = Join-Path $certificatesPath "$certificateName.cer"
Export-PfxCertificate -Cert $latestServiceCertificate -FilePath $serviceCertificateFilePath -Password $securePassword
Write-Host 'Extracting PEM file from latest certificate'
$servicePemCertificateFilePath = Join-Path $certificatesPath "$certificateName.pem"
openssl pkcs12 -in $serviceCertificateFilePath -clcerts -nokeys -password "pass:$plaintextPassword" -out $servicePemCertificateFilePath
Write-Host 'Uploading PEM file to Azure AD'
$servicePemCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($servicePemCertificateFilePath)
$keyCredential = @{
startDateTime = [System.DateTime]::UtcNow
type = 'AsymmetricX509Cert'
usage = 'Verify'
key = $servicePemCertificate.GetRawCertData()
displayName = "CN=$certificateName"
}
Connect-MgGraph
Update-MgApplication -ApplicationId $azureAdApplicationId -KeyCredentials @($keyCredential)