graph: service principal's credential configured by CLI is displayed as "unknown" in portal

[weinong]

---

Environment summary

Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (az --version) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)

2.0.31 on Azure Cloud Shell

Problem

I have a managed certificate in Keyvault. When I do az ad sp credential reset --name ${SP_ID} --append --keyvault ${KEYVAULT_NAME} --cert ${CERT_NAME}, it ran through just fine. However, when I went to the Azure Portal, the new cert has unknown thumbprint and the expiration date doesn't match the cert's. In fact, I believe the cert is not added properly because I cannot use it.

Likewise, it doesn't work with downloaded certificate..

az keyvault certificate download --vault-name ${KEYVAULT_NAME} -n ${CERT_NAME} -f ${CERT_NAME}.crt -e DER
az ad sp credential reset --name ${SP_ID} --append --cert @${CERT_NAME}.crt

'str' object has no attribute 'digest'
Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 197, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 347, in execute
    six.reraise(*sys.exc_info())
  File "/opt/az/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 319, in execute
    result = cmd(params)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 180, in __call__
    return super(AzCliCommand, self).__call__(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/knack/commands.py", line 109, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 420, in default_command_handler
    result = op(**command_args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1176, in reset_service_principal_credential
    password, keyvault)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 836, in _process_service_principal_creds
    logger.debug("normalizing x509 certificate with fingerprint %s", cert.digest("sha1"))
AttributeError: 'str' object has no attribute 'digest'

Finally, I had to manually download the .CER from the portal and upload to the AAD manually which works

[yugangw-msft]

Please use today's release. This is a known dependency issue on pyopenssl which was fixed 2 weeks ago through #6203

[yugangw-msft]

On a second thought, reactivate it, and will close it once @weinong confirm it.

[weinong]

what is the version that has the fix? @yugangw-msft

[yugangw-msft]

I will double check and let you know

[troydai]

The latest one is 2.0.32, please give it a try. @weinong

[yugangw-msft]

@troydai , we have a bug here which I am looking at it right now.

[yugangw-msft]

@weinong, please try 2.0.32(cloud shell also has it now). The stack trace you provided is different from the issue I fixed but i could not reproduce your issue now. Both issues are about dealing with certs by going through pyOpenSSL which I have upgraded the version CLI uses.
Regarding the UI glitch of no thumbprint, this is known though the cert credential should still work. The root cause for the UI glitch is not clear, as I will have to sync up with the portal folks for how they set it. CLI uses Graph SDK which doesn't expose related properties.
I also can't reproduce the cert expiration mismatch issue, please double check as well.