我正在尝试使用带有Az模块的Powershell Core脚本登录到Azure。 这需要使用上传到Azure的自签名证书。
我尝试使用以下方法创建证书:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem -subj "/C=LV/ST=Some-State/L=LV/O=IT/OU=IT"
并使用指纹登录,但是Powershell给我这个错误:
Connect-Azaccount : Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
不确定这是什么意思。
问题类似于此问题https://github.com/Azure/azure-powershell/issues/8658
但不确定如何解释那里的答案。没有证书的经验,并且对Linux的经验有限。
为了回答我自己的问题,我终于想通了。步骤:
#create certs
openssl req -new -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.cer -days 365 -subj /CN=localhost
#create pfx
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.cer
#You will need to specify some password for it
#Now use the generated cer file and import it in your Azure portal,AzureAD->app registrations->your created SP->Certificates and secrets. Can also use powershell to do this.
#import the PFX to your machines cert store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName,$StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("path to your pfx","the pfx password you specified on step 2",$Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
$tenantId = 'look in your azure portal'
$appId = 'app id of the service principal you created,look in your azure portal'
$thumbprint = $certificate.thumbprint
Connect-AzAccount -ApplicationId $appId -Tenant $tenantId -CertificateThumbprint $thumbprint
就是这样,您将使用Powershell Core从Linux机器或Docker自动非交互地连接到Azure租户,并可以执行SP角色允许的所有命令。您可以重新使用PFX文件,只是第一次是手动的,然后将其托管在某个位置并使用curl或类似文件将其加载到脚本中。
注意:我对证书以及所使用的证书的安全性了解不多,后果自负。