# Login With Certificate This guide covers certificate generation across different OS environments and the subsequent deployment to Azure. ### **1. Generating Certificates** **Windows (using PowerShell)** Windows users can use the native New-SelfSignedCertificate cmdlet. This is the easiest way to generate a certificate compatible with Azure without installing third-party tools. ```powershell # --- Configuration Variables --- $CN = "MyCertificateName" $Password = "YourPassword123" # 1. Create the certificate $cert = New-SelfSignedCertificate -Subject "CN=$CN" -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(2) # 2. Export the Public key Export-Certificate -Cert $cert -FilePath ".\$CN.cer" | Out-Null # 3. Export the Private key Export-PfxCertificate -Cert $cert -FilePath ".\$CN.pfx" -Password (ConvertTo-SecureString $Password -AsPlainText -Force) | Out-Null ``` **macOS & Linux (using OpenSSL)** Most macOS and Linux distributions come with OpenSSL pre-installed. This method creates a standard RSA key pair. ```powershell # 1. Define your variables (Change these if needed) CN="MyCertificateName" PASSWORD="YourPassword123" # 2. Generate the Key and Certificate using the variables openssl req -x509 -newkey rsa:2048 -nodes -keyout "${CN}-key.pem" -out "${CN}-cert.pem" -days 730 -subj "/CN=$CN" # 3. Create the PFX Bundle using the variables openssl pkcs12 -export -out "${CN}-identity.pfx" -inkey "${CN}-key.pem" -in "${CN}-cert.pem" -passout "pass:$PASSWORD" ``` ### **2. Uploading to Azure** This guide walks you through the process of uploading a certificate to an Azure App Registration for authentication purposes. #### Prerequisites * Access to Azure Portal * An existing App Registration or permissions to create one * A certificate file (.cer, .pem, or .crt format) **Step 1: Access Microsoft Entra ID** 1. Navigate to the Azure Portal (portal.azure.com) 2. From the **Azure services** section on the homepage, click on **Microsoft Entra ID**

Microsoft Entra ID

**Step 2: Navigate to App Registrations** 1. In the Microsoft Entra ID overview page, locate the left navigation menu 2. Under the **Manage** section, click on **App registrations**

App registrations

**Step 3: Select Your Application** 1. In the App registrations page, you'll see three tabs: * All applications * Owned applications * Deleted applications 2. Use the search box to find your application (e.g., "test-azure-cert") 3. Click on the application name from the search results

Applications

**Step 4: Access Certificates & Secrets** 1. Once in the application details page, locate the left navigation menu 2. Under the **Manage** section, click on **Certificates & secrets**

Certificates & Secrets

**Step 5: Upload the Certificate** 1. In the Certificates & secrets page, you'll see three tabs: * Certificates * Client secrets * Federated credentials 2. Ensure you're on the **Certificates** tab 3. Click the **Upload certificate** button

Certificates Panel

**Step 6: Complete the Upload Form** 1. In the "Upload certificate" dialog box: * Click the folder icon to browse and select your certificate file * Supported file types: .cer, .pem, .crt * Enter a **Description** for the certificate (e.g., "test-azure-cert-file") 2. Click **Add** to complete the upload

Upload certificate

#### Important Notes * Certificates can be used as secrets to prove the application's identity when requesting a token * Certificates can also be referred to as public keys * The certificate count is displayed in parentheses on the Certificates tab (e.g., "Certificates (3)") * Ensure your certificate is in the correct format before uploading #### Verification After successful upload, your certificate will appear in the certificates list with: * Certificate name * Expiration date * Thumbprint * Status indicator ### 3. Azure Configuration - Certificate Upload This guide provides step-by-step instructions for configuring Azure using certificate-based authentication in FSProtect. #### Prerequisites * Azure tenant credentials (Directory/Tenant ID) * Azure application credentials (Application/Client ID) * Certificate file (.pfx or .p12 format) * Certificate password * Appropriate Azure permissions (as listed in the Permissions section) #### Required Azure Permissions The following permissions are required for Azure configuration: * **Directory.Read.All** ✓ * **AuditLog.Read.All** ✓ * **Policy.Read.All** ✓ * **RoleManagement.Read.All** ✓ * **OnPremDirectorySynchronization.Read.All** ✓ #### Configuration Steps **Step 1: Select Region** 1. Locate the **Region** dropdown field 2. Select your Azure region (e.g., "Cloud") **Step 2: Enter Directory (Tenant) ID** 1. Navigate to the **Directory (Tenant) ID** field 2. Enter your Azure Active Directory Tenant ID * This can be found in your Azure Portal under Microsoft Entra ID → Overview **Step 3: Enter Application (Client) ID** 1. Locate the **Application (Client) ID** field 2. Enter your Azure App Registration Client ID * This can be found in your Azure Portal under App registrations → \[Your App] → Overview **Step 4: Select Authentication Method**

Authentication Method Selection

1. Click on the **Authentication Method** dropdown 2. You will see the following options: * Certificate (.pfx/.p12) * Client Secret 3. **Select "Certificate (.pfx/.p12)"** from the dropdown menu **Step 5: Enter Certificate Password** 1. After selecting the certificate authentication method, a new field will appear: **Certificate Password** 2. Note the certificate expiration date displayed (e.g., "Expire Date: 11/13/2035, 00:00:00") 3. Enter your certificate password in the **Certificate Password** field * Example: "YourPassword123" 4. You can toggle password visibility using the eye icon **Step 6: Upload Certificate File**

Certificate File Upload

1. Locate the **Certificate File** upload section 2. You can upload your certificate in two ways: * **Drag and drop**: Drag your certificate file (.pfx or .p12) into the designated area * **Click to select**: Click on the upload area to browse and select your certificate file 3. Once uploaded successfully, you will see a confirmation message: * **"Certificate file loaded - Drag & drop or click to update"** (displayed in green with a checkmark) **Certificate File Example**

Example Certificate File

Ensure your certificate file has the following characteristics: * **File format**: .pfx or .p12 * **File type**: Personal Information Exchange * **Example filename**: myapp-identity.pfx or PnP-Automation-App.pfx **Step 7: Verify Display Names** 1. **Tenant Display Name**: Verify the tenant name is displayed correctly (e.g., "fsprotect") 2. **App Display Name**: Verify the application name is displayed correctly (e.g., "test-azure-cert") **Step 8: Test and Save Configuration**

Password Example and Test Configuration

1. Click the **Test** button to validate your configuration * This will verify connectivity and authentication with Azure 2. If the test is successful, click the **Save** button to save your configuration ### Troubleshooting Tips * Ensure your certificate has not expired (check the expiration date) * Verify the certificate password is correct * Confirm the certificate file format is .pfx or .p12 * Make sure all required permissions are granted in Azure * Test the configuration before saving ### Security Best Practices * Store certificate passwords securely * Use certificates with appropriate expiration dates * Regularly rotate certificates before expiration * Limit permissions to only what is required * Monitor authentication logs in Azure ### Additional Notes * Certificate authentication is more secure than client secret authentication * The certificate file remains on your system and is used for authentication * Always test your configuration before deploying to production --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/settings/azure-configurations/login-with-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.