Creating and using certificates for Azure service principals?

KJ 81 Reputation points
2021-03-03T14:31:42.35+00:00

We want to use a service principal account with certificate authentication for the purpose of copying files from an on premises server to Azure blob storage using AZCopy.

When I look at the documentation link below, it only shows an example on how to create a self-signed certificate intended to be used only for testing.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate

I need more detail on the requirements and creation and use process than shown in the example.

What are the requirements for certificates intended for production use and are we supposed to use our on on premises private Microsoft CA or a public commercial CA to get the certificate?

Is the certificate supposed to be a client authentication certificate type or something else? What subject name do we use for the subject name etc.? The example in the link above uses “ DaemonConsoleCert.”

Do we get email or portal notifications from Azure when the service principal certificate is close to expiring? Can the certificate be configured to renew automatically?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
675 questions
Accepted answer
  1. Siva-kumar-selvaraj 15,556 Reputation points
    2021-03-08T19:05:04.597+00:00

    Hello @KJ ,

    Thanks for reaching out.

    You could use certificate (AsymmetricX509Cert) with any type of issuers like Self-Sign , Public or Internal CA for production environment, AAD (Azure AD) support all of these certificate type for authentication as long as it matches below prerequisites:

    Subject Name : could be anything, no restriction
    KeySpec Signature
    KeyLength: 2048
    KeyAlgorithm: RSA
    HashAlgorithm: SHA256 / SHA 1 (Support both)
    Enhanced key uses : Client Authentication & Server Authentication

    Note: when you use Internal CA issued cert, then make sure certificate path accessible for certificate chain validation

    The service principal certificate need to be renewed manually and you get to see secret (certificate) expiry notification on Azure portal as shown below:

    75564-image.png

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,556 Reputation points
    2021-03-10T19:04:22.797+00:00

    Hello @KJ ,

    Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thanks,
    Siva

    0 comments