Az login with service principal does not work using SNI cert, not sending certificate chain

[grgarcia-ms]

Describe the bug

When downloading cert from kv as in instructions here, login in DOES NOT WORK if cert relies on signed cert. It DOES work on SDK packages, with same cert, somewhere in az cli the certificate CHAIN seems like is not being sent like sdk (send_certificate_chain=True)
https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#work-with-azure-key-vault

Related command

az login --service-principal -u "" -p cert.pem --tenant ""

Errors

AADSTS700030: Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: ameroot. Trace ID: 3a06737e-f940-45f3-96a2-0cd091da5100 Correlation ID: a957054b-bbc5-403b-ac43-fa5fb4ae041e Timestamp: 2024-07-15 16:48:58Z

Issue script & Debug output

az keyvault secret download --file /path/to/cert.pfx
--vault-name VaultName
--name CertName
--encoding base64
openssl pkcs12 -in cert.pfx -passin pass: -passout pass: -out cert.pem -nodes
az login --service-principal -u "" -p cert.pem --tenant ""

Expected behavior

login should work

Environment Summary

azure-cli 2.39.0 *

core 2.39.0 *
telemetry 1.0.6 *

Extensions:
ml 0.0.125556467
providerhub 0.2.0

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional context

this is very urgent as teams move to use cert instead of passwords, please prioritize if possible

[azure-client-tools-bot-prd]

Hi @grgarcia-ms,

2.39.0 is not the latest Azure CLI(2.62.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[grgarcia-ms]

We are hoping this can be resolved by az cli adding support of send_certificate_chain=True equivalent command, please provide a way to unblock our teams we need a way of signing in using SNI CERT with az cli for some of our jobs running

[lincolnu]

The issue appears to be due to the fact that the az login command doesn't expect the full cert chain to be included in the input pem file, as indicated by the intermediate cert authority showing up in the incorrectly detected subject name of the certificate.

az login already does not require that the PEM file include the cert chain, unlike the Azure Powershell Modules' connect-azaccount which requires that SendCertificateChain is specified.

So one solution is to modify the openssl command you used to convert from pfx to pem file, to specify the -clcerts argument:

https://docs.openssl.org/1.0.2/man1/pkcs12/#parsing-options

-clcerts
only output client certificates (not CA certificates).

I verified that this will allow you to run az login with a certificate that is not self-signed.