0

Note: This question is specific to OAuth2 and Azure AD. I am not asking about securing SSL communications. In this case the certificate is not use to encrypt anything and is not part of any communication protocol. It is used in a similar way to a password. (Which, to my understanding, means it is not something that can be hit by a man in the middle attack.)

I am setting up my applications to authenticate with Azure AD. One of the options that Azure AD Supports is the use of a certificate in place of a Client Secret string for OAuth authentication.

One of the documentation pages seems to indicate that using a self signed certificate for this is a bad idea in production.

But I am curious why?

I upload the public key of my self signed certificate to my Application Page in Azure AD. Then the my actual application uses the private key when it authenticates with Azure AD. Both sides of the communication are known and controlled by me.

Is a self-signed certificate somehow less protection in this case?

Vaccano
  • 78,325
  • 149
  • 468
  • 850
  • Also https://stackoverflow.com/questions/45361131/when-is-it-acceptable-to-use-self-sign-cert-in-production – TylerH Oct 26 '22 at 17:48
  • And https://stackoverflow.com/questions/14463492/is-self-signed-and-or-expired-https-certificates-worse-than-just-using-http – TylerH Oct 26 '22 at 17:48
  • Finally: https://stackoverflow.com/questions/23923810/is-it-safe-to-accept-self-signed-certificates – TylerH Oct 26 '22 at 17:49
  • PS, the Azure AD part of this is not particularly relevant. The relevant part is whether you are using self-signed certs or certs from a trusted publisher. This may be the best target, honestly: [SSL and man-in-the-middle misunderstanding](https://stackoverflow.com/questions/14907581/ssl-and-man-in-the-middle-misunderstanding) – TylerH Oct 26 '22 at 17:51
  • First, I'll mention that I'm the one that submitted a request to Microsoft to update this page's documentation on why the self-signed certificate is not recommended. However, I'm not sure about their response, mainly as there's no domain name verification being done in this usage, and authentication is strictly between Azure AD and the application. – scottwtang Oct 26 '22 at 17:57
  • @TylerH - To my understanding, the certificate is not used to secure the actual communication (there is another certificate doing that). It is used as a password once the communication is able to reach the server. As such, I don't see how an man in the middle attack could be done based off the "password" certificate. (Obviously if the SSL certificate is not secure, then that is a different situation and could easily result in a man in the middle attack.) – Vaccano Oct 26 '22 at 18:03

0 Answers0