How to use the management certificate to manage the Azure cloud service by DevOps pipeline

Published Nov 12 2020 11:57 PM 5,862 Views


Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications. Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. Azure DevOps Server was formerly named Visual Studio Team Foundation Server (TFS). Azure cloud services can be managed in Azure DevOps by using the PowerShell cmdlets that are available in the Azure PowerShell tools, so that you can perform all of your cloud service management tasks within the service. Management certificates allow you to authenticate with the classic deployment model. Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. 



This blog is to guide you to create a management certificate and use it to manage your Azure Classic resources such as Cloud Service in Azure DevOps.


Part 1. Create a management certificate by openssl. (Refer to the document


1. Sign in to your computer where OpenSSL is installed and run the following command. This creates a password protected key.


openssl ecparam -out test.key -name prime256v1 -genkey



2. Use the following commands to generate the csr and the certificate.


openssl req -new -sha256 -key test.key -out test.csr



3. When prompted, type the password for the root key, and the organizational information for the custom CA such as Country/Region, State, Org, OU, and the fully qualified domain name (this is the domain of the issuer).


openssl x509 -req -sha256 -days 365 -in test.csr -signkey test.key -out test.crt



4. Generate the pfx certificate by the crt file which can be used in the Azure DevOps pipeline.


openssl pkcs12 -export -out frankmgmt.pfx -inkey test.key -in test.crt



5. Create a cer file by the pfx certificate which can be uploaded to the Azure Portal as management certificate.


openssl pkcs12 -in frankmgmt.pfx -out test.cer -nodes



Part 2. Upload the cer file to the management certificate of subscription.


1. Search the certificate in the Subscription.

2. Pick the Management certificates.

3. Upload the cer file to the management certificate.

4. You will find the management certificate in the Azure Portal.





Part 3. How to use the management certificate to verify the Azure Service Manager (ASM) resources in Azure DevOps pipeline.


1. In the Library, find the secure files and upload the pfx certificate as secure file.




2. Create Powershell script like below for test.



param ($input1)

Write-Host "Script test.ps1 ..."


[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

$SigningCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$SigningCert.Import($input1, "<password>", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"DefaultKeySet")

Set-AzureSubscription -SubscriptionName "<subscription name>" -SubscriptionId "<subscription id>" -Certificate $SigningCert
Select-AzureSubscription -SubscriptionName "<subscription name>"




3. Create two events in the pipeline, Download Secure file and PowerShell Script.





4. Download secure file.





5. Set up the script path and arguments of Powershell Script.




6. We can successfully get the cloud service deployment information by Get-AzureDeployment command.


Here is an example we used to get the deployment details in the cloud service.







Version history
Last update:
‎Dec 08 2020 07:12 PM
Updated by: