6

When trying to update the manifest file of my Azure AD application, I receive the following error (see screen shot):

Failed to save manifest. Error details: KeyValueMustBeNull"

I am attempting to update the 'Value' attribute of the keyCredentials in the manifest, but it will not allow me to do so. It will let me upload a manifest with the Value set, but then it wipes it out and resets it back to null. I have duplicated this problem on both the new Azure Portal and old management portal.

How can I fix it?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Tracy
  • 680
  • 7
  • 16

3 Answers3

3

While the instructions you linked above look similar to this, I would try following these instructions as they have worked for me in the past when trying to add Certificated to my application.

Note that this uses the old Azure Management Portal versus the new Azure Portal which it looks like you are using.

Step 0: (If you do not have an X.509 certificate already) Create a self-issued certificate

You can easily generate a self-issued certificate with the makecert.exe tool.

  1. From the command line, run: makecert -r –pe -n “CN=MyCompanyName MyAppName Cert” -b 12/15/2014 -e 12/15/2016 –ss my –len 2048

  2. Open the Certificates MMC snap-in and connect to your user account. Find the new certificate in the Personal folder and export it to a base64-encoded CER file.

Note: Make sure the key length is at least 2048 when generating the X.509 certificate. Shorter key length are not accepted as valid keys.

Step 1: Get the base64 encoded cert value and thumbprint from a .cer X509 public cert file using PowerShell

Note: The instructions below show using Windows PowerShell to get properties of a x.509 certificate. Other platforms provide similar tools to retrieve properties of certificates.

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

$cer.Import(“mycer.cer”)

$bin = $cer.GetRawCertData()

$base64Value = [System.Convert]::ToBase64String($bin)

$bin = $cer.GetCertHash()

$base64Thumbprint = [System.Convert]::ToBase64String($bin)

$keyid = [System.Guid]::NewGuid().ToString()

Store the values for $base64Thumbprint, $base64Value and $keyid, to be used in the next step.

Step 2: Upload cert through the manifest file

  1. Log in to the Azure Management Portal (https://manage.windowsazure.com)

  2. Go to the AAD snap-in and there navigate to the application that you want to configure with an X.509 certificate

  3. Download the application manifest file through the Azure Management Portal

  4. Replace the empty “KeyCredentials”: [], property with the following JSON. NOTE: The KeyCredentials complex type is documented here: http://msdn.microsoft.com/en-us/library/azure/dn151681.aspx

     “keyCredentials“: [

 {

   “customKeyIdentifier“: “$base64Thumbprint_from_above”,

   “keyId“: “$keyid_from_above“,

   “type”: “AsymmetricX509Cert”,

   “usage”: “Verify”,

   “value”:  “$base64Value_from_above”

  }

  ],

    E.g.

     “keyCredentials“: [

 {

   “customKeyIdentifier“: “ieF43L8nkyw/PEHjWvj+PkWebXk=”,

   “keyId“: “2d6d849e-3e9e-46cd-b5ed-0f9e30d078cc”,

   “type”: “AsymmetricX509Cert”,

   “usage”: “Verify”,

   “value”: “MIICWjCCAgSgAwIBA***omitted for brevity***qoD4dmgJqZmXDfFyQ”

 }

 ],

  5. Save the change to the application manifest file.

  6. Upload the edited application manifest file through the Azure Management Portal.

  7. Optional: Download the manifest again, and see your X.509 cert is present on the application.

Let me know if you are still getting the same error after these steps.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Shawn Tabrizi
  • 12,206
  • 1
  • 38
  • 69
  • Hi Shawn, yes those were the instructions I was following when I initially encountered the error. I did also try downloading the manifest, editing, and re-uploading rather than editing in-place and received the same error. – Tracy Jan 19 '17 at 16:04
  • I tried with both new Azure portal and old management portal, and it's occurring in both of them. It does not appear to be related to my permissions either. – Tracy Jan 26 '17 at 20:50
  • 1
    I was seeing this too, I think it's just bad UI design. Once you add the keyCredentials they become immutable and are also not redisplayed to the user when reopening the manifest. But it is stored somewhere for `keyId`. – Eric Anderson Mar 09 '17 at 22:41
  • Oh, I see the problem now. Yes, when you update the manifest with a new cert, the Graph API will return to you Null values as a positive result. When you cannot update a key credential once it is stored, and the value will always appear as null when you try and read it. – Shawn Tabrizi Mar 09 '17 at 23:13
  • If it's just a UI issue, why then do the values not show when I download the file locally and open it as well? – Tracy Mar 22 '17 at 20:54
  • @ShawnTabrizi - Sorry, I'm not quite following your response above. Can you elaborate? – Tracy Mar 22 '17 at 22:01
  • It is not a UI issue, this is the behavior of the Graph API. When you query for the Key Credentials on an application, the value of the key credentials will intentionally appear as Null, even though there is data there. – Shawn Tabrizi Mar 22 '17 at 23:10
  • @ShawnTabrizi - Sorry, what do you mean 'query for the Key Credentials on an application'? I'm trying to edit them in the manifest file. – Tracy Mar 23 '17 at 00:02
  • 1
    The manifest editor is simply a glorified JSON editor. The content you see in the manifest editor is the same content you would see if you made a `GET` on the `\applications` endpoint of the Graph API. Since the Graph API does not show any values for Key Credentials (intentionally), the manifest editor will not show any values either. The short short of this all is that existing key credentials cannot be MODIFIED. New ones can be added, old ones can be deleted. – Shawn Tabrizi Mar 23 '17 at 00:09
0

I ran into this and the fix was that I was trying to update the customKeyIdentifier. Apparently Azure doesn't like this because the key they have saved doesn't match.

I just copied the keyCredentials out and saved the manifest with the keyCredentials blank and then put the values back in making sure the change the GUID in the keyID field.

You could probably just change the GUID though.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Poodimizer
  • 590
  • 1
  • 6
  • 18
0

I used PowerShell to upload the certificate details. It worked for me. Open a PowerShell window and try the following commands.

Install-Module AzureAD
Connect-AzureAD

The last command will ask for credentials.

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import("Yourcertpath\cername.cer")
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-AzureADApplicationKeyCredential -ObjectId 46xxx45e-xxxx-xxx-xxxx-xxxxxxxxxxx -Type AsymmetricX509Cert -Value $credValue -Usage Verify

Remember to replace the object id with the object id of your AD application.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
SRIDHARAN
  • 1,196
  • 1
  • 15
  • 35