Azure DevOps ARM Service Connection using certificate

This blogpost will be a quick howto for configuring an Azure Resource Manager (ARM) Service Connection in Azure DevOps, using a Service Principal with a certificate. Why should you use a certificate instead of a secret? It is more secure, that’s it.

First, we need to create our app registration in Azure AD. Start by going to App registrations and clicking + New registration.

Give it a name and click Register.

Remember that you can create the app registration in one tenant and use it to access resources in other tenants, as a multi tenant app. Very useful in a service provider scenario.

After creating the app registration, we need to create a certificate by using PowerShell (must be run as administrator) and openssl.

# Create self signed certificate 
$selfsignedcert = New-SelfSignedCertificate -DnsName "example.goodworkaround.com" -KeyExportPolicy Exportable

# Export the certificate with private key
$certBytes = $selfsignedcert.Export("Pkcs12", $null);

# Store the certificate as pfx with no password
[System.Convert]::ToBase64String($selfsignedcert.Export("Pkcs12", $null)) | Set-Content "mycert.private.pfx"

# Store the certificate public key as cer format
[System.Convert]::ToBase64String($selfsignedcert.Export("Cert")) | Set-Content ".\mycert.public.cer"

# Generate PEM using openssl - a PS native would be nice... 😦
& openssl pkcs12  -in .\mycert.private.pfx  -nodes -password "pass:" | set-content mycert.private.pem

After this has been done, we have to files that we need – mycert.private.pem and mycert.public.cer. I think you know which file is which key… Anyway, back to the app registration, go to Certificates & secrets and upload our public key:

After uploading the public key, it should look something like this:

We can now grant the required permissions to our service principal, by granting owner permission or a another permission we need the service connection to have. Won’t go into details here, but I granted the service principal the owner permission on a subscription:

Next, after successfully granting our service principal permission to a part of our Azure governance structure (a subscription in this case), we are ready to create a new service connection:

Choose Service principal (manual) and click Next.

Complete the fields required, with the service principal id being the client id of the app registration:

Select Certificate and paste the contents of the PEM file into the Certificate input field, set the correct tenant id and verify. Voila!

This is a full example of a PEM file, which is valid and works in Azure DevOps:

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: te-d50e9949-943b-4fd7-9da1-f70602e1c9a1
    Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
    X509v3 Key Usage: 90 
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzvqhsU8ZMWBcO
Z2R2YX2gfdIW1jBXeh1X2Si/pSPRYEQ+rPFvKWGXBDoGfQCWcpWUC5IRY6TBPl4l
E2EkmfJeZGE8+z6jwkmtN4mzd31KLKHM76lHNIx87foAGNTUw6CWLgtqU5xGBDz+
XCw1T4kEIod+YSN+hy+PPVbIM4cGC1e+McQF1A26SItMJ/AIdL3gX2cSOLFqmA+t
C7LPcZLSxllMdp4pPSluNtSRNd9YHfXDVUFAeyBLGBplHH7Xzv8puVunApN8feDt
7JnTh/ZZTmhaIbUbYT+cLou03ub/qpR9lUJN5FpaJRZNqmYnZvLKD5vRNgfLgLjB
r2PA2MxRAgMBAAECggEAd2Mp51n1mnvgRJb0KZUzpkgsJTL7RP89Qj5hTHnZwpZY
ffDNJHKt+Wq7R9f7bfKJ252b1aUDp79PNP0cRv1h+MRfuet/fbHs0frTobq6I2xl
xANjwoHq1ogSx8G2i+OsZFQNDQCgCfmCschzLK25al+s84p90urj8hZh7/QZuS7u
VryA2wj1ujzF6kP6CEnBcnVo4MU/90KTL/W381BBcAnwNxMZNtk+aGPYPrVn5IS3
Vx/KD+YW7VW+bP9SE4DHGkUyKpO8bDMPxNXQplokmPul9wzQcJL6thgJO/GV29sV
gQ03eYgKFWt56zvwHFxJd1MbAwBGsBc20takRiTaCQKBgQDOI4ZXxsOcqnYCq21h
t1I+YXj21uAOq0pqS7S0ocOMDrjoahDM0Gjg7becnfLbInB5PfYEXYerGwOlG7Ai
TIu87QjO9VBJIXm4ncCtB9xy9EdRQCI9pPYKWh9PJu9PmC3gsZkS09h6Mymd2RO9
F07UPaYvXwRhAvhW5RibVo9kGwKBgQDfOMT+7tkz6nac3Tiql1rsArxDhfy2GsLv
H/YWFaMVVlQVAWIEVejY+g5GrEq6kXb7bBO7Biphp43s/wGvgiFhb3zscCvAMw1O
+bkqiIogikbJpQgvb4eYDXSX+wkRr3EGw+N7bm2qyo8fcrsgX/e3TcyfU+87uTIX
QUZfC+ngAwKBgQCNJ7xdrOjUBdHrgBHVoN+7gamAdaFVyiuZ4B9stXyfEpHB7Kd2
aJv4si9SGsJrFgkorKojURyOqV/0lqIkyn/BrhqjBU6l1TtxlOyUT9bADNAtLhqE
Vcp5Sj84RzQGL/HydAqa3t/UxeYQhc5DZIuBQHnk5E6uU4dUkWopLLvh0wKBgQDT
PGOfY+ODL4NjWi0/sc9GvCfwNiE5KwYBR9uWdo9Hp9QVtKNOuwWIHsnXsz9cYj+Y
GWRqfaEpnGfAOGkd7yUrkVdEX7nnPeiALe0+BMvBk1j9hQDD8uT7zO/iypqAc+ef
oUvqCEwbbWgXOHlAX9CJVEQpGkKv38c5Hno7g4ikhQKBgCpzybUCZHerOUT5/T5w
/3r4Pc+WFeDY9o8Lwm/GiOlqmMW8Mzk8WiCvGFqwDDccqwvmIPTucWW6Hb1QPGyE
nZvGfVM9j3QR9VqKc3bfcVg/qmWEVHJXML6L0WOcByyLiKeWmULogntvAGoH7lCu
+SK9HX5WdSNWzmYeJoNKPq3X
-----END PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00 
subject=CN = example.goodworkaround.com
issuer=CN = example.goodworkaround.com
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIQFd5GZ7U8gbJN8aX7yNABEDANBgkqhkiG9w0BAQsFADAl
MSMwIQYDVQQDDBpleGFtcGxlLmdvb2R3b3JrYXJvdW5kLmNvbTAeFw0yMzAyMTkx
ODQ4MDVaFw0yNDAyMTkxOTA4MDVaMCUxIzAhBgNVBAMMGmV4YW1wbGUuZ29vZHdv
cmthcm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs76o
bFPGTFgXDmdkdmF9oH3SFtYwV3odV9kov6Uj0WBEPqzxbylhlwQ6Bn0AlnKVlAuS
EWOkwT5eJRNhJJnyXmRhPPs+o8JJrTeJs3d9SiyhzO+pRzSMfO36ABjU1MOgli4L
alOcRgQ8/lwsNU+JBCKHfmEjfocvjz1WyDOHBgtXvjHEBdQNukiLTCfwCHS94F9n
EjixapgPrQuyz3GS0sZZTHaeKT0pbjbUkTXfWB31w1VBQHsgSxgaZRx+187/Kblb
pwKTfH3g7eyZ04f2WU5oWiG1G2E/nC6LtN7m/6qUfZVCTeRaWiUWTapmJ2byyg+b
0TYHy4C4wa9jwNjMUQIDAQABo3cwdTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMCUGA1UdEQQeMByCGmV4YW1wbGUuZ29vZHdv
cmthcm91bmQuY29tMB0GA1UdDgQWBBTRMLnnzrgSJweOBye/odnFkMR4ATANBgkq
hkiG9w0BAQsFAAOCAQEAI40rEV7oLV7PfbIUGD2Yr7y6g7O/1ibamjcIMYWvZDH2
zZjShB2nn/Dio3nQnkIwigx4htNkVsnBJq3yJiyg/WRzzSQ/0XMbR0dkjG6G6zQp
M+ueOFPggv7kLWPC8CAzf6Fp1ftEA5cK7CQibHgO8YvP5vOvt4TvpPlVKNWctImC
9y50RFJohBYVnzBWfhqqxzPjU/Jsh8JfxiEssiXkYe356kjkPukmBqJruNv70rLL
p2oCezHGbwyRWb5vJbxtKhxCKhoJDYN30Ws6kpNT7M/HMVddN9Lfn+sffqxExqUc
D0eSw8o0shsK1c0iPU2VdGZTyiKVlf2gWIe+qUOP/g==
-----END CERTIFICATE-----

So, a little more hassle than it should be.