Where can I find details of an X.509 certificate I created locally?

Question

I a newbie when it comes to authenticating using certificate. Please correct me if my question doesn't make sense.

I created 2048 bit X.509 certificate locally. I have server.crt , server.key , server.key.org , and mycert.pfx (mycert.pfx contained both public and private key and I am using that file in my code).

Now I do I have a Java application with the following code:

String tenant="f6377xxx-aeb2-4a8a-be8a-7xxxxa60be3";
String authority = "https://login.windows.net/"+tenant+"/oauth2/authorize";
ExecutorService service=null;
service= Executors.newFixedThreadPool(1);

try
{
    AuthenticationContext authenticationContext =
        new AuthenticationContext(authority,false,service);
    String certFile="/projects/mycert.pfx";
    InputStream pkcs12Cert= new SharedFileInputStream(certFile);

    AsymmetricKeyCredential credential = AsymmetricKeyCredential.create(
        "xxxx-e53c-45b7-432-7b91d93674b6", pkcs12Cert, "password");

    Future<AuthenticationResult> future = authenticationContext.acquireToken(
        "https://outlook.office365.com", credential, null);

    System.out.println("Token Received"+future.get().getAccessToken());
    String token=future.get().getAccessToken();

This code is trying to authenticate to Office 365 API. For that purpose, I have created an Application on Azure with tenant id and other information. Now the above code throws the following exception.

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'H6383KO9763C6E4KIE8363032D6', Configured keys: []]\r\nTrace ID: 76YT3GG-7b8b-JDU73-afeb-JDUEY7372\r\nCorrelation ID: 7H3Y743-a5b7-KD98-88ba-HDUYE7663\r\nTimestamp: 2016-08-31 23:56:50Z","error":"invalid_client"}

The reason is because I don't have the certificate uploaded on the server side (i.e on the Azure AD app). I followed this tutorial and found a solution that shows I have to download a Manifest file , edit it with the certificate and then upload it to Azure server.

The problem is I don't know where to get the values for the following keys from the certificate. Can you please help me where I can find customKeyIdentifier, keyId, and value?

"keyCredentials": [
    {
        "customKeyIdentifier": "$base64Thumbprint_from_above",
        "keyId": "$keyid_from_above",
        "type": "AsymmetricX509Cert",
        "usage": "Verify",
        "value":  "$base64Value_from_above"
    }
],

Answer 1

The reason why I got this error (invalid signature... key was not found), is that I was using the wrong client/application ID when I was doing something like:

var adal = require('adal-node');
var authorityURL = '...';
var context = new adal.AuthenticationContext(authorityURL);
context.acquireTokenAsync(resourceURL, clientId, key, thumbprint);

Everything else was Ok, after following this procedure (starting from step 1.1)

Answer 2

shorter c# code for certCustomKeyId and certValue:

String certFile = "/etc/abc/server2.crt"; X509Certificate cert = new X509Certificate();

cert.Import(certFile);

String certValue = Convert.ToBase64String(cert.GetRawCertData());

Console.WriteLine("Cert value: " + certValue);

String certCustomKeyId = Convert.ToBase64String(cert.GetCertHash()); Console.WriteLine("customKeyIdentifier: " + certCustomKeyId);

Console.WriteLine(" keyId: " + System.Guid.NewGuid());

Answer 3

I've found the following source code to generate the key/values in keyCredentials I was looking for. Though you need to have the certificate generated first. Then run the code and your keyCredentials content should be in keycredentials.txt file.

@Test
    public void testGenerateKeyCredentials(){

    String certFile = "/etc/abc/server2.crt";
    System.out.printf("Generating keyCredentials entry from %s\n", certFile);


    try {
        FileInputStream certFileIn = new FileInputStream(certFile);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        Certificate cert = cf.generateCertificate(certFileIn);

        // Generate base64-encoded version of the cert's data
        // for the "value" property of the "keyCredentials" entry
        byte[] certData = cert.getEncoded();
        String certValue = Base64.getEncoder().encodeToString(certData);
        System.out.println("Cert value: " + certValue);

        // Generate the SHA1-hash of the cert for the "customKeyIdentifier"
        // property of the "keyCredentials" entry
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        md.update(certData);
        String certCustomKeyId = Base64.getEncoder().encodeToString(md.digest());
        System.out.println("Cert custom key ID: " + certCustomKeyId);

        FileWriter fw = new FileWriter("keycredentials.txt", false);
        PrintWriter pw = new PrintWriter(fw);

        pw.println("\"keyCredentials\": [");
        pw.println("  {");
        pw.println("    \"customKeyIdentifier\": \"" + certCustomKeyId + "\",");
        pw.println("    \"keyId\": \"" + UUID.randomUUID().toString() + "\",");
        pw.println("    \"type\": \"AsymmetricX509Cert\",");
        pw.println("    \"usage\": \"Verify\",");
        pw.println("    \"value\": \"" + certValue + "\"");
        pw.println("  }");
        pw.println("],");

        pw.close();

        System.out.println("Key credentials written to keycredentials.txt");
    } catch (FileNotFoundException e) {
        System.out.printf("ERROR: Cannot find %s\n", certFile);
    } catch (CertificateException e) {
        System.out.println("ERROR: Cannot instantiate X.509 certificate");
    } catch (NoSuchAlgorithmException e) {
        System.out.println("ERROR: Cannot instantiate SHA-1 algorithm");
    } catch (IOException e) {
        System.out.println("ERROR: Cannot write to keycredentials.txt");
    }
}