Update Azure.ps1 | Support for Linux CertThumbprints #596
Conversation
Believe it or not, there is a way to add certs to Linux systems using PowerShell. However, this method does not present the PS-drive provider Microsoft.PowerShell.Security\Certificate. So the current Azure plugin code checking if the cert is there using cert:\ doesn’t work. I left existing code and just added a "well you didn’t find it, try these two new methods" sort of code. Technically I am pretty sure my method would work in Windows but I don’t have the time to test (I use a Mac anyways). Anyone is welcome to take what I did and make it better. Anyone wanting to import a cert in Linux can use this example code:
#import the PFX to your machines cert store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
# Prompt for the password
$password = Read-Host -Prompt "Enter the password for the PFX file" -AsSecureString
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("./something.pfx", $password, $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
write-host "Certificate installed: " $Certificate.thumbprint
|
Interesting. I swear the last time I looked at this, the X509Store related stuff didn't work on Linux....or maybe it just didn't fully work? It would have been way back in PowerShell 6/.NET Core 2 days though. This SO question seems to imply maybe the LocalMachine store is read-only. Out of curiosity, what do you have that actually put your Azure auth cert into the .NET cert store on Linux? Or is that just what the native Azure modules do now? In any case, I'll try to find some time to muck around with this. More options for non-Windows is always good. |
|
I just tested it with su rights and I your right, I get this error when trying to add to the localmachine store:
I was being presumptuous that since CurrentUser worked that so would LocalMachine. This is my first PR so I have no idea what the best way would be to edit the code and resubmit (I would just remove the block for localMachine). I discovered this method (of creating a currentUser store) as part of the process of just geting connect-azAccount working. I had to manually make the PFX, upload to Azure portal under the SPN app reg, then import using the code mentioned in the PR. Once set, the Connect-azAccount works great. That is when I discovered it didnt work in the plugin, hence the PR to make it so. I did test the changes locally and it did work for me using currentUser. Hope that helps! |
|
For the purposes of this change, the LocalMachine store being read-only might still be ok since the code is only reading the certs. In general though, updating a PR's code is just a matter of adding commits to the repo/branch the PR is referencing. In any case, I'm still curious about how the LocalMachine store functions. One of those SO answers claims it's looking in the CentOS default cert locations that normally hold PEM-formatted files:
So I wonder if just manually copying your cert files to the right place would effectively add them to the LocalMachine store's view. |
Believe it or not, there is a way to add certs to Linux systems using PowerShell. However, this method does not present the PS-drive provider Microsoft.PowerShell.Security\Certificate. So the current Azure plugin code checking if the cert is there using cert:\ doesn’t work. I left existing code and just added a "well you didn’t find it, try these two new methods" sort of code. Technically I am pretty sure my method would work in Windows so it might be worth in the future swaping to just that but I cant fully test it. Anyone is welcome to take what I did and make it better. Anyone wanting to import a cert in Linux can use this example code: