Meant to blog about this a while back, and now I’ve forgotten what the issue was. Hoping some half information is more useful to anyone stumbling upon this post than no information at all! :)
I was trying to connect to AzureAD with a self-signed certificate a while back. I imported the PFX file into my local cert store, then I was trying something like this:
1 |
Connect-AzureAD -TenantId zzzz -ApplicationId xxxx -CertificateThumbprint $cert.Thumbprint |
This gave me the above Invalid provider type specified
error. Googling on this didn’t give much results but two posts finally helped: this, and this.
I had generated my original self-signed certificate via openssl
on my Mac, and something about that wasn’t right I suppose. Originally the cert didn’t have a password and when I regenerated it with a password it worked fine. (I think this is what my fix was :) Like I said it’s been a while and I’ve forgotten…)
Unfortunately on macOS the New-SelfSignedCerfificate
cmdlet does not exist which is a bummer. I discovered this 3rd party module though so I try and use it instead of openssl
nowadays (nothing against openssl
, I just find it so difficult to remember its various switches).
A thing with self-signed certs is that some cmdlets require them to be passwordless. For instance the Connect-MgGraph
cmdlet has no option to specify a password if you are passing it a PFX file (which I usually am as I am on my Mac). So while I can generate a cert via the module above, I then have to resort to openssl
to remove its password. The module above does not have an option to spit out the public cert either, so again I need openssl
. :) So yeah, not entirely free of openssl
.
Anyhoo, in case it helps:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
Import-Module "/path/to/SelfSignedCertificate.psm1" $password = "xxx" $certName = "mycertificate" # No need to change anything past this except the path $pfxfile = "/path/to/${certName}.pfx" $crtfile="/path/to/${certName}.crt" $pemfile="/path/to/${certName}.pem" $pfxfile_nopass="/path/to/${certName}_nopass.pfx" $certificateParameters = @{ CommonName = "CN=${certName}" OutCertPath = "$pfxfile" StartDate = [System.DateTimeOffset]::Now Duration = [timespan]::FromDays(730) Passphrase = $(ConvertTo-SecureString -Force -AsPlainText $password) CertificateFormat = 'Pfx' # Values from [System.Security.Cryptography.X509Certificates.X509ContentType] KeyLength = 4096 ForCertificateAuthority = $true KeyUsage = 'DigitalSignature','KeyEncipherment' # Values from [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags] EnhancedKeyUsage = 'ServerAuthentication','ClientAuthentication' } # Generate the PFX file New-SelfSignedCertificate @certificateParameters # Generate the public cert openssl pkcs12 -in "$pfxfile" -out "$crtfile" -nokeys -clcerts -passin pass:$password # Generate a password less variant. This requires converting to PEM and back to PFX openssl pkcs12 -in "$pfxfile" -out "$pemfile" -nodes -passin pass:$password openssl pkcs12 -export -in "$pemfile" -out "$pfxfile_nopass" |
I run all the above in a PowerShell window on macOS, it can invoke the native openssl
anyways…