将证书上传到AAD应用程序的powershell命令是什么？

您正在寻找命令 New-AzureRmADAppCredential https://learn.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermadappcredential?view=azurermps-5.0.0

文章中的示例 2 应该适合您

----------------8<--------------------

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate 
$cer.Import("C:\myapp.cer") 
$binCert = $cer.GetRawCertData() 
$credValue = [System.Convert]::ToBase64String($binCert)

New-AzureRmADAppCredential -ApplicationId 4589cd6b-3d79-4bb4-93b8-a0b99f3bfc58 -CertValue $credValue -StartDate $cer.GetEffectiveDateString() -EndDate $cer.GetExpirationDateString()

2023更新

对于现在阅读的任何人来说，当 Powershell 中的推荐方法是在 Azure AD 模块上使用 Microsoft Graph 模块时，相关命令是 Update-MgApplication 以及用于新证书的

-KeyCredentials

以下是从 keyvault 中提取证书并将其添加到已注册的 AAD 应用程序的函数示例：

function Set-AppCredential
{
    Param(
        [Parameter(Mandatory)]
        [string]$AppName,
        [Parameter(Mandatory)]
        [string]$KeyVaultName,
        [Parameter(Mandatory)]
        [string]$CertificateName
    )

    $Application = Get-MgApplication -Filter "DisplayName eq '$($AppName)'"

    $KeyVaultCertificate = Get-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $CertificateName

    $CertCredential = @{
        Type = "AsymmetricX509Cert"
        Usage = "Verify"
        Key = $KeyVaultCertificate.Certificate.RawData
    }

    Update-MgApplication -ApplicationId $Application.Id -KeyCredentials @($CertCredential)

}

您可以使用 New-AzureRmADAppCredential 向现有 Azure AD 应用程序添加凭据。

Login-AzureRmAccount
$cert = New-Object    System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE")
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
New-AzureRmADAppCredential -ApplicationId d3fdf244-xxxx-xxxx-8faa-4a22b9739374  -CertValue $key

基于 sam256 的答案，这是我使用 PowerShell v7 并从当前计算机上安装的证书读取证书的版本。我很想知道是否有一种方法可以用更少的步骤来做到这一点，但这就是我设法做到的。

基本步骤是：

1. 从当前计算机的证书存储中检索证书。

此步骤需要用于保护证书文件的密码。但 Azure AD 将拒绝受密码保护的证书。我无法在 PowerShell 中找到无需密码即可导出证书的方法，即使在不导出私钥时可以使用证书 UI。

2. 使用

   openssl

   命令行实用程序提取 pem 格式的证书，无需密码。

3. 将 PEM 格式的证书上传到 Azure AD

这是我使用的代码：

Write-Host "Finding the right certficate to export"
$serviceCertificates = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq "CN=$certificateName" }
$latestServiceCertificate = $serviceCertificates | Sort-Object NotAfter -desc | Select-Object -First 1

Write-Host "Exporting latest certificate with thumbprint $($latestServiceCertificate.Thumbprint)"
$plaintextPassword = "..." #TODO: Add your own plaintext password here. It is just used temporarily so you don't need to store it anywhere.
$securePassword = ConvertTo-SecureString -String $plaintextPassword -Force -AsPlainText
$serviceCertificateFilePath = Join-Path $certificatesPath "$certificateName.cer"
Export-PfxCertificate -Cert $latestServiceCertificate -FilePath $serviceCertificateFilePath -Password $securePassword

Write-Host 'Extracting PEM file from latest certificate'
$servicePemCertificateFilePath = Join-Path $certificatesPath "$certificateName.pem"
openssl pkcs12 -in $serviceCertificateFilePath -clcerts -nokeys -password "pass:$plaintextPassword" -out $servicePemCertificateFilePath

Write-Host 'Uploading PEM file to Azure AD'
$servicePemCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($servicePemCertificateFilePath)
$keyCredential = @{
    startDateTime = [System.DateTime]::UtcNow
    type = 'AsymmetricX509Cert'
    usage = 'Verify'
    key = $servicePemCertificate.GetRawCertData()
    displayName = "CN=$certificateName"
}
Connect-MgGraph
Update-MgApplication -ApplicationId $azureAdApplicationId -KeyCredentials @($keyCredential)