There is no response at all, other than 200 OK, so I am guessing there is some kind of backend call happening that informs Azure AD about the successful authentication, and the flowToken is what identifies our browser session. The FlowToken is then sent to the url found in CertAuthUrl, as well as a ctx token (for tracking purposes, I believe): "apiCanary": "AQABAAAAAAD-DLA3VO7Q.36IjDyl96Z4yTQi3IiAA" "FlowToken": "AQABAAEAAAD-DLA3VO7Q.D8VmBUct-YdmhU7iLRpSAA", There are a lot of parameters sent out to this endpoint, already discovered apparently:Īnd we get information about the certificate authentication, and a lot of other things: When clicking the Sign in with a certificate link, the following happens: Let us now have a look at what happens behind the scenes. That might be a public preview issue, or something to do with my certificate configuration – I don’t know, but we got it working! We should see that the SAN field contains “Principal Name”:Īfter we type our username, we get Sign in with a certificate as an option.Īfter clicking, we are told to choose which certificate to use when authenticating towards :Īnd for some reason it fails the first time:īefore it works after clicking Sign in with a certificate the second time… $openssl pkcs12 -inkey "$userPrincipalName-key.pem" -in "$" -export -out "$userPrincipalName.pfx"Īfter running this, we now how a pfx file that we can import locally: $openssl ca -md sha256 -config ca.conf -out "$" -infiles "$userPrincipalName-req.pem" $openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout "$userPrincipalName-key.pem" -out "$userPrincipalName-req.pem" -subj "/C=NO/ST=Oslo/L=Oslo/O=Good Workaround/OU=IT/CN=$userPrincipalName" -addext "subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3 UTF8:$userPrincipalName" $openssl req -new -sha256 -newkey rsa:4096 -nodes -keyout "$userPrincipalName-key.pem" -out "$userPrincipalName-req.pem" -subj "/C=NO/ST=Oslo/L=Oslo/O=Good Workaround/OU=IT/CN=$userPrincipalName" -addext "subjectAltName=otherName:msUPN UTF8:$userPrincipalName" $userPrincipalName = 'C:\Program Files\OpenSSL-Win64\bin\openssl.exe' Let’s to that using Microsoft Graph endpoint: The ca.crt file is our public key that we should upload to Azure AD. We will then have a folder structure that looks something like this: $openssl req -new -x509 -days 10000 -key ca/ca.key -out ca/ca.crt # Create a self-signed X509 certificate for the CA (the CSR will be signed with it) $openssl genrsa -des3 -out ca/ca.key 4096 # Generate a 1024-bit RSA private key for the CA
Set-Content -Path "ca/ca.db.serial" -Value "1234" Set-Content -Path "ca/ca.db.index" -Value ""
!(Test-path "ca/ca.db.certs") ? (mkdir "ca/ca.db.certs" | Out-Null) : $null !(Test-path "ca") ? (mkdir "ca" | Out-Null) : $null $openssl = 'C:\Program Files\OpenSSL-Win64\bin\openssl.exe'
0 kommentar(er)
