"Azure AD certificate-based authentication" is not giving certificate popup

Question

I am following this document to setup "certificate based authentication" in Azure AD portal. I have made all the settings mentioned in this document: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication

But the problem I am facing is: I have a user certificate installed on my windows machine, When I am trying to open Azure Portal, I am not getting any certificate pop-up. CA cert is also uploaded in the Azure portal. I think I am missing some step in certificate generation in following steps:

Prerequisites

Make sure that the following prerequisites are in place:

1. Configure at least one certification authority (CA) and any intermediate CAs in Azure AD.
2. The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.

The steps that I have followed:

1. I have generated a self-signed CA certificate using following link:

   openssl req -new -sha256 -key certAuth.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mykey" -out certAuth.csr

   openssl x509 -req -in certAuth.csr -CA certAuth.crt -CAkey certAuth.key -CAcreateserial -out certAuth.crt -days 500 -sha256

2. I have uploaded only CA certificate and not intermediate CAs in Azure AD. Will it cause any issue?

3. user certificate is generated using following commands: https://www.golinuxcloud.com/openssl-create-client-server-certificate/#Create_client_certificate

   1) openssl genrsa -out user1.key 4096

   2) openssl req -new -key user1.key -out user1.csr -subj /CN=user1@test.com

   3) openssl x509 -req -in user1.csr -CA certAuth.crt -CAkey certAuth.key -out user1.crt -CAcreateserial -days 365 -sha256 -subj /CN=user1@test.com -extfile openssl.cnf

openssl.cnf file:

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = v3_req
x509_extensions     = v3_req
[ req_distinguished_name ]
countryName                 = TT
stateOrProvinceName         = TT
localityName               = TT
organizationName           = TT
commonName                 = TT
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
PrincipalName   = user1@test.com

I can see Principal Name as subject Alternative name, Subject is user1@test.com in certificate details(when cert is installed). There is 1 problem though: when I installed this user cert on windows machine, I can export it's private key as well. And in other user certificates(generated by other production softwares), private key cannot be exported.

I am not able to get a certificate pop-up with above user1 certificate. "test.com" CA certificate is self signed and installed in certificate authorities. Am I missing something while certificate generation. There are not steps mentioned in the pre-requisites section of this document: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication

Can someone please help? I need to utilize this functionality but I am not able to understand what is going wrong in certificate generation.

Answer 1

I tried to reproduce the same in my environment and got the results like below:

I generated the root cert by using below PowerShell script:

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature 
-Subject "CN=RukP2SRootCert" -KeyExportPolicy Exportable 
-HashAlgorithm sha256 -KeyLength 2048 
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

Now, I exported the certificate like below:

Go to Manage User certificates -> Personal -> Certificates -> Select your certificate -> All Tasks -> Export

Select Base-64 encoded X.509 (.CER):

The certificate got exported successfully:

For testing, I enabled MFA for the user and added the user in testrukgrp:

In the Azure Portal, I uploaded the certificate in Certificate authorities:

Enable the Certificate-based authentication and added the testrukgrp:

In configure, I made the changes like below:

Make sure to enable the state in Registration Campaign:

After the above config, I am able to get the certificate popup successfully like below: