question

PadillaHenry-6154 avatar image
PadillaHenry-6154 asked ·

How to use New-AzADSpCredential to add certificate credentials

I am using App Registrations to deploy resources and the certificate is expiring. I am trying to write a script to add a new cert to extend the life of this Service Principal but no matter who I login as (myself, a colleague, the Service Principal itself) I get the following error:

New-AzADSpCredential : Insufficient privileges to complete the operation.
At X:\XXX\XXXX\XXXXX\Add-NewDmfCertificate.ps1:496 char:63
+ ... cipalName | New-AzADSpCredential -CertValue $credValue -StartDate $ce ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-AzADSpCredential], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADSpCredentialCommand

azure-ad-app-registration
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PadillaHenry-6154 I just wanted to check If below answer worked for you. If it helped, please accept as answer to help other members in community.

0 Votes 0 · ·
amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@PadillaHenry-6154 You need to use below commands for this purpose:

  1. Copy the certificate at C:\temp\cert.cer or specify your certificate path in step 6.

  2. Copy the Object ID of the App where you want to add the certificate. You would need this in the last command.

  3. Open PowerShell as administrator and run Install-Module AzureADPreview. If this module is already installed, you can skip this step.

  4. Run Connect-AzureAD and login with a user who has Global Administrator or Application Administrator role.

  5. $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object

  6. $cer.Import("C:\temp\cert.cer")

  7. $bin = $cer.GetRawCertData()

  8. $base64Value = [System.Convert]::ToBase64String($bin)

  9. $bin = $cer.GetCertHash()

  10. $base64Thumbprint = [System.Convert]::ToBase64String($bin)

  11. $keyid = [System.Guid]::NewGuid().ToString()

  12. New-AzureADApplicationKeyCredential -ObjectId 37fe33f9-xxxx-xxxx-xxxx-xxxxxxxxxxxx -CustomKeyIdentifier $base64Thumbprint -Type AsymmetricX509Cert -Usage Verify -Value $base64Value -StartDate $cer.GetEffectiveDateString()


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarcKassay-8334 avatar image
MarcKassay-8334 answered ·

cross-post; on Stack Overflow

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.