Using Manifest Certification Authorization

Go Up to Install and Configure Team Server and Repository

Certificate-based authentication is recommended due to the security restrictions of password-based authentication. For this reason, Team Server allows you to enable the ability to authenticate to Azure SQL Database using service principal with manifest certificates.

You first must create the certificate before uploading it to the Azure portal.

To create a certificate

1. Generate a private key using:

   openssl genrsa -out private.key 2048

2. Generate a certificate signing request (CSR) using:

   openssl req -new -key private.key -out request.csr

3. Self-sign the certificate, which is valid for one year:

   openssl x509 -req -in -request.csr -signkey private.key -out certificate.pem -days 365

To upload your certificate to Azure

1. Go to Azure Active Directory and open App registrations.
2. Open your service principal (app).
3. Select Certificates & secrets > Certificates.
4. Click Upload certificate, and then upload your certificate.pem file.

Note: Convert your certificate to .pfx as that is the only acceptable file format for a Team Server connection.

To convert a .pem file to .pfx, use openssl pkcs12 -export -out jdbc-certificate.pfx -inkey private.key -in certificate.pem -passout pass

Note:

• The .pfx certificate must not have a password lock.
• Establishing a connection using a certificate may take some time for validation checks. In cases where invalid credentials or certificates are provided, the connection time may be significantly longer compared to a standard connection using a service principal. This is because the system must perform additional verification steps and the server may take longer to return an error response. Overall wait time varies depending on the server's responsiveness and processing speed.
• We recommend that you set Access Token Lifetime expiry to a minimum of 7 days and a maximum preferably, but not limited to, 90 days.