I created a self signed certificate and uploaded it to an Azure app registration, similar to what I've done with a dozen or so other apps. I'm attempting to connect to my SharePoint site with Python's office365 library, which is not something I have a lot of experience with and it shows.
from office365.runtime.auth.client_credential import ClientCredential
from office365.sharepoint.client_context import ClientContext
from office365.sharepoint.files.file_system_object_type import FileSystemObjectType
import os
def create_client_with_private_key():
cert_credentials = {
'tenant': tenant,
'client_id': appid,
'thumbprint': thumb,
'cert_path': path
}
return ClientContext(siteurl).with_client_certificate(**cert_credentials)
siteurl = 'https://mytenant.sharepoint.com/sites/mysite'
appid = '<AppID guid>'
tenant = '<TenantID>'
thumb = '<certificate thumbprint>'
path = "d:\\azure cert\\mycertificate.pem"
ctx = create_client_with_private_key()
current_web = ctx.web.get().execute_query()
print("{0}".format(current_web.url))
The script that dies at the second to last line (current_web = ctx.web.get().execute_query()) with this error
Exception has occurred: ValueError ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [_OpenSSLErrorWithText(code=75497580, lib=9, reason=108, reason_text=b'error:0480006C:PEM routines::no start line')]) ValueError: Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.
During handling of the above exception, another exception occurred:
File "C:\scripts\sp-test.py", line 50, in current_web = ctx.web.get().execute_query() ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [_OpenSSLErrorWithText(code=75497580, lib=9, reason=108, reason_text=b'error:0480006C:PEM routines::no start line')])
I've read up that I need to make sure I have the python cryptography package installed, which I do. I'm guessing the format of the certificate is wrong, but I'm not sure what format I should hve it in.
I used the following PowerShell script to create the certificate
$validMonths =12;
$notAfter = (Get-Date).AddMonths($validMonths) # Valid for 4 months
$thumb = (New-SelfSignedCertificate -DnsName "mycertificate" -CertStoreLocation "cert:\LocalMachine\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $certPassword -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath $certPath -Password $pwd
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($certPath, $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
New-AzureADApplicationKeyCredential -ObjectId $objectID -Type AsymmetricX509Cert -Usage Verify -Value $keyValue -EndDate ($notAfter.AddHours(-2))
Which creates a pfx file. I had tried that first and that didn't work. So then I exported the certificate as a pem
Export-Certificate -Type CERT -Cert "cert:\localmachine\my\$thumb" -FilePath "$baseCertPath\$($certName).der";
certutil -encode "$baseCertPath\$($certName).der" "$baseCertPath\$($certName).pem";
What am I doing wrong?
