Share via

The certificate with identifier used to sign the client assertion is not registered on application.

Dmytrii Korostylev 20 Reputation points
2025-03-24T16:13:32.8133333+00:00

Hi.
Through Microsoft Entra, I created an application. Then I locally generated a .crt certificate and uploaded it to Certificates, where the thumbprint is 'yyy'. Then I used postman and make a request https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token passing the jwt token to client_assertion. I get an error The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found]. Thumbprint of key used by client: 'xxx', . Although the Thumbprint displayed in the application certificates ('yyy') and the Thumbprint of the local certificate completely coincide (also 'yyy').

Do I need to upload a certificate somewhere else besides the Certificates and Secrets tab, and how did I understand where the 'xxx', signature came from and where to find it in the application?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,273 questions
Accepted answer
  1. Sanoop M 2,660 Reputation points Microsoft External Staff
    2025-03-27T19:34:44.9033333+00:00

    Hello @Dmytrii Korostylev,

    Based on the error message what you are getting The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found]. Thumbprint of key used by client: 'xxx', usually occurs when you are using thumbprint as is instead of base64 encoding in x5t(in header) while creating a jwt token.

    Please run the following PowerShell script to generate a base64 encoded string of your thumbprint:

    # Hexadecimal string

    $hexString = "<Thumbprint from portal>"

    # Convert the hexadecimal string to a byte array

    $bytes = for ($i = 0; $i -lt $hexString.Length; $i += 2) {

    [Convert]::ToByte($hexString.Substring($i, 2), 16)

    }

    # Convert the byte array to a Base64 string

    $CertificateBase64Hash = [System.Convert]::ToBase64String($bytes)

    # Output the result

    $CertificateBase64Hash

    Save as .ps1 file and run it in powershell as

    .\base64.ps1

    Now please use this output in x5t value in header and get the token. Use the generated jwt token as client_assertion in your POST request.

    Alternatively, you can fix this issue by adding "trustedCertificateSubjects" to the Manifest section of the application registered in "App registrations" section.

    "trustedCertificateSubjects": [

    {

    "authorityId": "00000000-0000-0000-0000-000000000001",

    "subjectName": "XXX.XXXXXXXXXXX.aad.XXXXXX.XX" }

    ]

    Below is the Screenshot for your reference.

    User's image

    Here authorityId is fixed, you can find SubjectName value in your certificate. It will be in this format CN=xyz. Here xyz is your SubjectName.

    Please refer to the below article for your reference.

    AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. - Microsoft Q&A

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.