microsoftgraph
Update Get-EntraUserCertificateUserIdsFromCertificate.ps1
Learn Build status updates of commit 676cbd7:
:x: Validation status: errors
Please follow instructions here which may help to resolve issue.
| File | Status | Preview URL | Details |
|---|---|---|---|
| :x:Error | Details |
- Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed]
Failed to load file: C:/LocalRun/W/fyao-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
![learn-build-service-prod[bot] avatar](https://avatars.githubusercontent.com/in/237442?v=4 "Published by a pub.dev verified publisher"){kind=small}
hi @tomatsue, could you please elaborate on why you believe reversing the byte order is unnecessary?
The code is written to match the behavior of certutil –dump –v $cert ensuring that we return the SerialNumber in the same encoding format.
The GetSerialNumber() method returns the serial number of an X.509v3 certificate as a byte array in little-endian format. This is documented in the official .NET documentation:
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate.getserialnumber?view=net-5.0#system-security-cryptography-x509certificates-x509certificate-getserialnumber
However, for certificate-based authentication—specifically for the certificateUserIds configuration—the serial number must be in big-endian format to follow the original format that you would see with certutil. That’s why we reverse the byte array returned by GetSerialNumber()
.NET also offers the SerialNumber property, which returns the serial number as a string in big-endian format, eliminating the need for manual reversal. But in your PR suggestion, I didn’t see a switch to using SerialNumber, which would justify removing the reversal logic.
Hi @thadumi, thank you for checking. I've found a problem with the results of Get-EntraUserCertificateUserIdsFromCertificate. This command returns the IssuerAndSerialNumber value — for example, "X509:<I>DC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>eF3gH4iJ5kL6mN7oP8qR9sV0uD", which is supposed to be used as the certificateUserId value in Entra CBA. However, the value returned from the command won't work because Entra CBA expects the serial number to be a string in little-endian format. Please refer to the following document.
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication#issuer-and-serial-number-manual-mapping
In the example above,
Get-EntraUserCertificateUserIdsFromCertificate must return "X509:<I>C=US,O=U.SGovernment,OU=DoD,OU=PKI,OU=CONTRACTOR,CN=CRL.BALA.SelfSignedCertificate<SR> b24134139f069b49997212a86ba0ef48", which doesn't match the SerialNumber of certutil –dump –v $cert. That's why I believe reversing the byte order is unnecessary.
Learn Build status updates of commit d9ee186:
:x: Validation status: errors
Please follow instructions here which may help to resolve issue.
| File | Status | Preview URL | Details |
|---|---|---|---|
| :x:Error | Details |
- Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed]
Failed to load file: C:/LocalRun/W/b3sa-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
Learn Build status updates of commit 1ad7879:
:x: Validation status: errors
Please follow instructions here which may help to resolve issue.
| File | Status | Preview URL | Details |
|---|---|---|---|
| :x:Error | Details |
- Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed]
Failed to load file: C:/LocalRun/W/34t4-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
