I'm looking to issue a SAML signing certificate from one of our internal Certificate Authorities (CAs) for use with an Enterprise Application in Azure. The goal is to avoid using the self-signed certificates that are automatically generated for each app. I'm familiar with OpenSSL and usually create a certificate signing request (CSR) with a configuration file. However, I'm uncertain about how to properly fill this file out for this specific situation. Additionally, I haven't used Intune PKI much beyond initial setup and creating some SCEP profiles, so I'm not sure if that's a viable path. Any insights or guidance on generating this CSR and certificate would be greatly appreciated! Am I overthinking this?
5 Answers
Just to clarify, the certificates issued by Entra are from a Microsoft CA, which means they are already trusted by Microsoft—a crucial aspect to consider for security!
Honestly, creating your own certificate for this is pretty uncommon since your Identity Provider (IdP) typically generates these certs. The general practice is to let the IdP handle certificate management to avoid issues like breaking automatic certificate rotation.
I’m curious about why you need a certificate from your CA instead of using the default certificate generation provided by Entra. Could it be a requirement from your security team or just a preference?
I think there's a misunderstanding. The endpoint URLs you're referring to are Microsoft online.com, and from what I know, it's tricky to issue certs from your CA for those endpoints. But I could be wrong!
The Enterprise App does allow us to upload a certificate, and I was under the impression this could be either public or private. The documentation hints that a CA certificate is feasible, but the specifics are vague.
Are you acting as both the IdP and the Service Provider (SP) here? Because that complicates things a bit. In that case, you might consider options like Let's Encrypt if you're dealing with self-hosted applications without a public CA cert. For Entra ID, you can download the SAML certificate directly.
Good question! The security department specifically requested a CA generated certificate, so I’m just trying to figure out if it’s feasible and how easy it will be. Right now, the self-signed option seems way simpler, haha.