"Certificate does not contain any CA certificate" error when I create a SSL profile on Azure Application Gateway

Mohsen Akhavan 936

Let me explain more about the scenario.
I have a web application that is hosted on an Azure App Service Plan.
I created two certificates "Root" and "Child" with the blow command:

Generate root cert:    
$pwd = ConvertTo-SecureString -String "123" -Force -AsPlainText    
$filepath = 'C:\Users\Desktop\certificates\'    
$rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "IdentityServerCN"-Provider "Microsoft Strong Cryptographic Provider"-HashAlgorithm "SHA512"-NotAfter (Get-Date).AddYears(5) -KeyUsageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature    
Export-PfxCertificate -cert ('Cert:\LocalMachine\My\' + $rootcert.thumbprint) -FilePath ($filepath+'IdentityServerCertificate.pfx')  -Password $pwd    
    
     
Generate child cert:    
$pwd = ConvertTo-SecureString -String "123" -Force -AsPlainText    
$scope = "app"    
$env = "develoepr"    
$filepath = 'C:\Users\Desktop\certificates\test\'    
$certname = $scope + "_"+ $env    
$childcert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "IdentityServerCN"-Provider "Microsoft Strong Cryptographic Provider"-HashAlgorithm "SHA512"-NotAfter (Get-Date).AddYears(5) -Signer $rootcert  -FriendlyName $certname     
Export-PfxCertificate -cert ('Cert:\LocalMachine\My\' + $childcert.thumbprint) -FilePath ($filepath + $certname+'.pfx') -Password $pwd

When I directly open the web app URL https://app-test-platform.azurewebsites.net/index.html the application request a certificate. I selecet the child certificate and then the application opened.

Now, I want to move this app behind the Azure Application Gateway and I configure all settings (backend, listeners and etc). Based on this document for this solution I need SSL Profile. First of all, I need to export the trusted CA certificate chain (this document). I have done all steps and when I back to Application Gateway and created an SSL profile I received this error when I want to upload *.cer files.

Failed to save configuration changes to application gateway 'XXXX'. Error: TrustedClientCertificate XXXX/providers/Microsoft.Network/applicationGateways/XXXX/trustedClientCertificates/XXX'>XXXX/XXX does not contain any CA certificate. A CA certificate contains the basic constraint extension with subject type as CA.

KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-01T06:45:43.233+00:00
Hi @Mohsen Akhavan ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
From your set up and initial verbatim, I understand you are trying to configure mutual authentication for your application.

Refer:
Overview of mutual authentication with Application Gateway
.
Please let me know if my understanding is incorrect here and you are interested with End-to-End TLS, do let us know and we can discuss about how this can be achieved.

If it's indeed the mutual authentication, you are trying to configure,

Then I am not sure why you would export the certificate from the browser.

It appears, from the screenshots you have provided, this is juts going to export the SSL certificate for "*.azurewebistes.net" - which is used to provide encryption to the web (HTTPS)

This exported certificate will not be the same as the root certificate you would want to use for mutual authentication

While it is highly recommended to not go with self-signed certificates, here's how you can export the CA certificate from a certificate chain.
Refer : Export a trusted client CA certificate chain to use with client authentication

Cheers,
Kapil
Mohsen Akhavan 936 Reputation points

2022-11-01T07:35:46.127+00:00
Hi @KapilAnanth-MSFT ,

Thanks for your replay.
Let me explian more. I want to implement a app based on certificate authenticate. I have two certificate "root" and "child".
In my scenario, this app working well without Application Gateway. Client select "child" certificate when browse my app, and then client can receive data.

Please forget export The SSL certficate (HTTPS), it was my mistake and I will update my question.

About Export a trusted CA, I used this reference and I try export Publuc certidicate from my "root" certificate. I done all steps and uploaded un SSL Profile, but I received this error.

Failed to save configuration changes to application gateway 'XXXX'. Error: TrustedClientCertificate XXXX/providers/Microsoft.Network/applicationGateways/XXXX/trustedClientCertificates/XXX'>XXXX/XXX does not contain any CA certificate. A CA certificate contains the basic constraint extension with subject type as CA.
KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-01T10:01:12.837+00:00

Hi @Mohsen Akhavan ,

So, I take it that you would like to implement mutual authentication.

I am not sure how you have created your Root Certificate and your Server certificate.
But the root certificate needs to be a CA certificate.

You can check if it's a CA certificate or not by,

The subject type should be of CA, under basic constraints.

Can you please check if your root certificate is a CA certificate?

Cheers,
Kapil
Mohsen Akhavan 936 Reputation points

2022-11-02T19:41:08.603+00:00
Hi @KapilAnanth-MSFT

I checked but I don't have "Basic Constraints" in my certificate.
Also, I've tried to create a self-signed certificate with a custom root CA through the below link:
Ref: https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates

Again I didn't find the "Basic Constraints" item and when I tried to add an SSL profile (Application Gateway) I received the same error.

Do you have any documents to create a self-signed CA certificate?

Is it true to use the above PowerShell command to create certificates?
Mohsen Akhavan 936 Reputation points

2022-11-03T08:32:45.973+00:00

Hi again @KapilAnanth-MSFT

Based on this document I created another certificate (Self-Signed CA) and upload it on SSL Profile in Application Gateway, but again I received the same error as above.
KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-03T11:35:46.847+00:00
Hi @Mohsen Akhavan ,

Ideally, that should not be the case.

Can you please use the below and give it a try?

Root:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=MutualAuthRoot" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -TextExtension @("2.5.29.19={text}CA=true") -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

Client:
New-SelfSignedCertificate -Type Custom -DnsName MutualAuthLeaf -KeySpec Signature -Subject "CN=MutualAuthLeaf" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Run the above from an elevated Powershell

And then export the root as .cer file and upload it into the SSL Profile?

It should be under,

And let me know if this works.

Cheers,
Kapil
Mohsen Akhavan 936 Reputation points

2022-11-04T10:13:58.037+00:00

Hi @KapilAnanth-MSFT

I created and exported *.cer from your command. This root certificate was uploaded on the SSL profile in the Application gateway.
Now, I should compare my PowerShell command with your command and fix the issue.

Thanks,
KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-04T17:15:42.173+00:00

Hi @Mohsen Akhavan ,

Sure.

Please keep the thread updated if you are able to configure mutual authentication.

Cheers,
Kapil
Mohsen Akhavan 936 Reputation points

2022-11-09T17:28:52.133+00:00

@KapilAnanth-MSFT With your command I created certificate with CA
KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-10T08:18:06.907+00:00

Hi @Mohsen Akhavan ,

Thanks for the update.

Please let me know should you require any more assistance.

Cheers,
Kapil
Mohsen Akhavan 936 Reputation points

2022-11-10T19:43:52.197+00:00

@KapilAnanth-MSFT Thanks for your support. Actually, I can do to create an SSL profile based on your command but unfortunately, I couldn't run mutual authentication with Application Gateway. In the below link, I describe another problem.
https://learn.microsoft.com/en-us/answers/questions/1082539/access-denied-error-on-mutual-authentication-in-ap.html
Mohsen Akhavan 936 Reputation points

2022-11-10T19:45:43.897+00:00

Based on reference documents, the mutual authentication is a simple configuration but I don't know which step I do a mistake :(
KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-17T13:32:20.81+00:00

Hi @Mohsen Akhavan ,

Apologies for the delay in responding.

I was following your other thread Access Denied error on mutual authentication in Application Gwateway v2 and Azure App Service and I see @ChaitanyaNaykodi-MSFT has been working on it.

I would suggest you post the follow-up queries there, so myself and Chaitanya can internally discuss and suggest you next steps.

Let us know if we can be of any other assistance here.

Cheers,
Kapil
Mohsen Akhavan 936 Reputation points

2022-11-21T09:42:58.583+00:00

Thanks , I created with your command and my problem solved
KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-21T13:32:11.923+00:00

Hi @Mohsen Akhavan ,

Thanks for keeping us updated.

I have summarized our discussion and post it as an answer.
Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

Cheers,
Kapil

Accepted answer

KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee

2022-11-21T13:30:53.733+00:00

Hi @Mohsen Akhavan ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
From your verbatim, I understand you are trying to configure mutual authentication for your application.

From initial analysis, it appears that this is not a CA certificate
The below command should help you create a CA certificate

Root:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=MutualAuthRoot" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -TextExtension @("2.5.29.19={text}CA=true") -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

Client:
New-SelfSignedCertificate -Type Custom -DnsName MutualAuthLeaf -KeySpec Signature -Subject "CN=MutualAuthLeaf" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

You informed that you are now able to resolve your issue.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

"Certificate does not contain any CA certificate" error when I create a SSL profile on Azure Application Gateway

0 additional answers