Basic scenario of authenticating to an azure registered app using ClientCertificateCredential returns "certificate does not have a private key"

Question

I am new to Azure, and am trying a very basic scenario: locally authenticate to a registered app using a certificate credential.

The code is as follows:

public async Task<QueueClient> GetQueueClientWithSdkWithCertificateCredentials(string storageAccountName, string queueName, string tenantId, string clientId, string certificateBase64Str)
{
    var certificateCredentials = new ClientCertificateCredential(tenantId, clientId, new X509Certificate2(Convert.FromBase64String(certificateBase64Str)));
    var queueClient = new QueueClient(new Uri($"https://{storageAccountName}.queue.core.windows.net/{queueName}"), certificateCredentials);
    var createQueueResponse = await queueClient.CreateAsync();
    if (createQueueResponse.IsError)
    {
        throw new Exception($"Error in creating queue: [{createQueueResponse}]");
    }
    return queueClient;
}

queueClient.CreateAsync is failing with error
Azure.Identity.AuthenticationFailedException: 'ClientCertificateCredential authentication failed: The certificate certificate does not have a private key.

My setup is:

1. I have created myself the certificate - using openssl as follows:
   .\openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 120 -nodes -subj "/C=XX/ST=MyDistrict/L=MyTown/O=MyCompany/OU=MyOrg/CN=MyCertificate"
2. I then convert the certificate (cert.pem) to a pfx file so I can properly install it on Windows (checking the "export private key" checkbox so the key icon shows when double clicking on the certificate to see its details).
3. I also make sure it is installed under Trusted Root Certification Authorities, just in case.
4. So certificate is ultimately installed in my windows local store and looks like
5. I then upload the cert.pem file to Azure, under my registered app's Certificates & Secrets screen.
6. Then I go to my registered app's Manifests screen, and take the certificate base 64 representation I should be using in the Azure SDK API ("value" prop)

Doing all this - returns the error mentioned above. What is meant by "The certificate certificate does not have a private key" ? I mean, the certificate installed locally does show the key at the bottom - which indicates it DOES have the private key ?

What I am missing ?

Answer 1

Created a Microsoft Entra ID application and uploaded the certificate:

Exported the PFX certificate in the local machine:

The error "The certificate does not have a private key" usually occurs if you don't pass the private key.

To resolve the error, pass the private key and the certificate path when making use of client certificate authentication.

Modify the code like below to create the Queue using client certificate authentication:

namespace ConsoleApp1
{
    class Program
    {
        static async Task Main(string[] args)
        {
            string storageAccountName = "testrukstrgacc";
            string queueName = "testrukqueue";
            string tenantId = "TenantID";
            string clientId = "ClientID";
            string certificatePath = "C:/demo/rukcert.pfx";
            string certificatePassword = "Trash33!";

            QueueClient queueClient = await GetQueueClientWithSdkWithCertificateCredentials(storageAccountName, queueName, tenantId, clientId, certificatePath, certificatePassword);

            Console.WriteLine($"Queue client created: {queueClient.Uri}");
        }

        public static async Task<QueueClient> GetQueueClientWithSdkWithCertificateCredentials(string storageAccountName, string queueName, string tenantId, string clientId, string certificatePath, string certificatePassword)
        {
            var certificate = new X509Certificate2(certificatePath, certificatePassword);

            var certificateCredentials = new ClientCertificateCredential(tenantId, clientId, certificate);
            var queueClient = new QueueClient(new Uri($"https://{storageAccountName}.queue.core.windows.net/{queueName}"), certificateCredentials);
            var createQueueResponse = await queueClient.CreateAsync();
            if (createQueueResponse.IsError)
            {
                throw new Exception($"Error in creating queue: [{createQueueResponse}]");
            }
            return queueClient;
        }
    }
}

Queue got created successfully:

In the Portal: