Risks of using self signed certificate for Azure service principal authentication?

Question

My on-prem script deploys resources in Azure. The script uses a self signed certificate for Azure service principal authentication.

I created the certificate in Keyvault without a Certificate authority. Then I installed the certificate on the script server.

What are the risks of using a self signed certificate, instead of using a certificate with a Certificate authority in this situation?

Answer 1

Microsoft recommends to use self-signed certificate only for testing purposes only as an authentication method for Azure service principal.

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate

https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=windowsserver2019-ps#description

The correct method for signing a certificate is to use a well-known, trusted third party, a certificate authority (CA). Self-signed certificates have several key limitations/disadvantages:

• Self-signed certificates cannot be revoked.
• Self-signed certificates can never expire.
• Requires a public-key infrastructure (PKI). This can increase the cost of initial deployment in some environments when compared to public-key authentication.
• Self-signed certificates must be placed into Trusted Store in each machine that uses Azure service principal authentication.
• Self-signed certificate is the credential, rather than relying on trust of a certificate authority.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/self-signed-certificates-secure-so-why-ban/