-1

I developed an Azure Function which is timer triggered. For this I created a self-signed certification :

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "SP Az Func 3"
$pwd =ConvertT-SecureString -String "**************" -Force -AsPlainText
Export-PfxCertificate -cert cert:\localMachine\my\EB7D9E53BA1DF88AEDE1EA8CA3488CD794E0A9E9 -FilePath "c:\SPAzFunc2.pfx" -Password $pwd
Export-Certificate -cert cert:\localMachine\my\EB7D9E53BA1DF88AEDE1EA8CA3488CD794E0A9E9 -FilePath "c:\SPAzFunc2.crt"

Can I use this self-sign certificate to run our azure function on production? If not, then how we can gain/buy .pfx and .crt from authorized resources and provide a password, as we do in the self-signed certificate? Thanks

user18520267
  • 180
  • 3
  • 13
John John
  • 1
  • 72
  • 238
  • 501
  • 2
    Since you're using this on a timer trigger function I presume this certificate is not for SSL/TLS binding. So what do you intend to use the certificate for? – ma499 Jan 31 '23 at 23:44
  • @ma499 it is part of authenticating my Azure function to SharePoint Online, previous we use to pass the ClientID & ClientSecret. now for modern authentication we pass the CertificateThumbPrint, TenantId & ClientId as mentioned on this video https://www.youtube.com/watch?v=9erhWdwbkq8 – John John Feb 01 '23 at 12:30

1 Answers1

1

The youtube video you mentioned already describes HOW you can use a certificate with Azure Functions. For others, the most important part is also documented as "Use a TLS/SSL certificate in your code in Azure App Service".

So your actual question is "Can I use self-signed certificates for AAD application authentication in production?".

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate

For testing, you can use a self-signed public certificate instead of a Certificate Authority (CA)-signed certificate. In this how-to, you'll use Windows PowerShell to create and export a self-signed certificate.

Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.

It is definitely technically possible to use self-signed certificates in production. It might also be fine for your use case. However, it depends on your level of confidence that the solution is sufficient for your use case (business requirements etc.). Nobody is going to give you a blank recommendation except "when in doubt - buy a certificate".

Anything further and especially "how do I buy a client certificate?" does not belong on StackOverflow. Maybe you could ask this question on ServerFault - or rather use the search function there first.

Alex AIT
  • 17,361
  • 3
  • 36
  • 73