I am unable to authenticate to graph using cert based authentication. An app registration has been created and the related .cer file has been attached. The linked .pfx file has been placed on the Core server that i wish to authenticate to graph on with my scripts. The PFX file has been imported to the local machine store (this was to avoid an issue with the local user store (more below)). I now am trying to move the cert to the local user store using move item with no success. Longer explanation and example code below.
I originally attempted to upload the certificate to the local user store but have been forced to load the certificate into the local machine store instead as the local user store advises it needs a UI (Trust popup from what i have researched). After this i needed to remove all special characters from the password to import the certificate successfully to the local cert store (just plain characters used). Once these two changes had been made the certificate imports successfully. However i cannot use this certificate to authenticate, apparently because connect-mggraph cannot use local machine store certificates. After this i tried to move-item the certificate but was unable to do so and i am at a loss on how to achieve this.
Example Code:
#Import variables.
$mypwstring = 'password'
$certpath = 'C:\etc\certname.pfx'
$certstore = 'Cert:\LocalMachine\Root'
$certpw = ConvertTo-SecureString -string $mypwstring -AsPlainText -Force
Import-PFXCertificate -filepath $certpath -certstorelocation $certstore -password $certpw
#Graph connection variables.
$tenantid = 'mytenantidhere'
$clientid = 'myclientidhere'
$certthumb = 'mycertthumbprinthere'
Connect-MGGraph -TenantId $tenantid -ClientId $clientid -CertificateThumbprint $certthumb
I would like to know how i can successfully move the certificate to the user cert store to effectively authenticate (if this is infact the solution as i am unsure at this point).
I am unable to access any kind of GUI as this is a core installation and i am unable to simply create the certificate on the server as a rebuild will remove the .pfx file stored for the app registration triggering another manual creation of certificate to then upload to the app registration.
Any other solutions would be greatly appreciated, been down the rabbit hole all day and i'm likely overlooking a more obvious solution.
I now am trying to move the cert to the local user store using move item with no success ... I would like to know how i can successfully move the certificate to the user cert store ...
Sure. Here's how to accomplish that by first copying the certificate from the source store to the target store. Then, removing the certificate from the source store after it has been copied...
# Get certificate from source store...
$thumbprint = '3128343836ad3d9027952e76a3989b34267eb514'
$cert = Get-ChildItem -Path "cert:\LocalMachine\My\$thumbprint"
# Copy certificate to target store...
$targetStore = [System.Security.Cryptography.X509Certificates.X509Store]::new('My', 'CurrentUser')
$targetStore.Open('ReadWrite')
try {
$targetStore.Add($cert)
} catch {
Write-Warning -Message "Error adding cert to target store: $($_.Exception.Message)"
} finally {
$targetStore.Close()
}
# Remove certificate from source store, if successfully copied above...
if ((Test-Path -Path "cert:\CurrentUser\My\$thumbprint")) {
$sourceStore = [System.Security.Cryptography.X509Certificates.X509Store]::new('My', 'LocalMachine')
$sourceStore.Open('ReadWrite')
try {
$sourceStore.Remove($cert)
} catch {
Write-Warning -Message "Error removing cert from source store: $($_.Exception.Message)"
} finally {
$sourceStore.Close()
}
}
Hope this is helpful.