“Azure AD certificate-based authentication” is not giving certificate popup

admin

I am following this document to setup “certificate based authentication” in Azure AD portal. I have made all the settings mentioned in this document: learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication

But the problem I am facing is: I have a user certificate installed on my windows machine, When I am trying to open Azure Portal, I am not getting any certificate pop-up. CA cert is also uploaded in the Azure portal. I think I am missing some step in certificate generation in following steps:

Prerequisites

Make sure that the following prerequisites are in place:

  1. Configure at least one certification authority (CA) and any intermediate CAs in Azure AD.
  2. The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.

The steps that I have followed:

  1. I have generated a self-signed CA certificate using following link:

    openssl req -new -sha256 -key certAuth.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mykey" -out certAuth.csr

    openssl x509 -req -in certAuth.csr -CA certAuth.crt -CAkey certAuth.key -CAcreateserial -out certAuth.crt -days 500 -sha256

  2. I have uploaded only CA certificate and not intermediate CAs in Azure AD. Will it cause any issue?

  3. user certificate is generated using following commands:
    www.golinuxcloud.com/openssl-create-client-server-certificate/#Create_client_certificate

    1) openssl genrsa -out user1.key 4096

    2) openssl req -new -key user1.key -out user1.csr -subj /CN=user1@test.com

    3) openssl x509 -req -in user1.csr -CA certAuth.crt -CAkey certAuth.key -out user1.crt -CAcreateserial -days 365 -sha256 -subj /CN=user1@test.com -extfile openssl.cnf

openssl.cnf file:

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = v3_req
x509_extensions     = v3_req
[ req_distinguished_name ]
countryName                 = TT
stateOrProvinceName         = TT
localityName               = TT
organizationName           = TT
commonName                 = TT
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
PrincipalName   = user1@test.com

I can see Principal Name as subject Alternative name, Subject is user1@test.com in certificate details(when cert is installed).
There is 1 problem though: when I installed this user cert on windows machine, I can export it’s private key as well. And in other user certificates(generated by other production softwares), private key cannot be exported.

I am not able to get a certificate pop-up with above user1 certificate. “test.com” CA certificate is self signed and installed in certificate authorities.
Am I missing something while certificate generation. There are not steps mentioned in the pre-requisites section of this document: learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication

Can someone please help? I need to utilize this functionality but I am not able to understand what is going wrong in certificate generation.

Read more here: Source link