4

I am using Postman and the servicePrincipals API to build a list of our SAML signing certificates and their expirations. I have all of the keyCredentials for the appID as well as the preferredTokenSigningKeyThumbprint for the Active cert. However, I am not finding any API references to tie the active thumbprint to the keyCredentials.

Anyone figured out how to build the tie-ins?

Thanks

nooclearwessel
  • 101
  • 4

1 Answers1

1

According to the docs, the property keyCredentials will have the value you are looking for.

Key Credentials will have the following structure:

{
  "@odata.type": "#microsoft.graph.keyCredential",
  "customKeyIdentifier": "Binary",
  "displayName": "String",
  "endDateTime": "String (timestamp)",
  "key": "Binary",
  "keyId": "Guid",
  "startDateTime": "String (timestamp)",
  "type": "String",
  "usage": "String"
}

You can get the thumbprint directly when you call "addSelfSignedSigningCertificate" action, Microsoft doesn't provide the thumbprint in other calls. The closest you can get is to provide a 'customKeyIdentifier' or read back the key and derivative the thumbprint by taking the key data and feeding into a tool like openssl.

openssl pkey -in ~/keyfile -pubout -outform DER | openssl md5 -c

https://stackoverflow.com/a/42248153/5779200

Noah
  • 859
  • 7
  • 17
  • Where in this do you see the thumbprint? – Zulakis Jun 08 '22 at 23:12
  • You can get the thumbprint directly when you call "addSelfSignedSigningCertificate action", Microsoft doesn't provide the thumbprint in other calls. The closest you can get is to provide a 'customKeyIdentifier' or read back the key and derivative the thumbprint. – Noah Jun 09 '22 at 03:32
  • The question is how to get the thumbprint for an existing certificate. If you know how to derivate it, could you add that to your answer? – Zulakis Jun 09 '22 at 07:52
  • Added. If you are using something like bash you can script something like that but if you're on Windows using Powershell to automate this you'll need to install OpenSSL. – Noah Jun 09 '22 at 14:34
  • Where does the keyfile come from? – Zulakis Jun 09 '22 at 15:18
  • Key file is the "key" value in the payload response. – Noah Jun 10 '22 at 19:32
  • Hey @Noah, sorry, I only saw your reply today. I have not tested your updated answer with regards to calculating the thumbprint from the key yet, but it seems feasible to me. Thank you! Upvoted :-) – Zulakis Sep 27 '22 at 17:50