MsalClientException: The certificate certificate does not have a private key.

[Ofer-Gal]

I am testing an Azure Function with a certificate that is coming from Azure Key Vault. string vaultUrl = "https://{my}.vault.azure.net/"; var clientvault = new CertificateClient(vaultUri: new Uri(vaultUrl), credential: new DefaultAzureCredential()); KeyVaultCertificateWithPolicy certificateWithPolicy = clientvault.GetCertificate("CRM"); var certificate = new X509Certificate2(certificateWithPolicy.Cer, string.Empty, X509KeyStorageFlags.MachineKeySet); then I create a client using(var client = new ServiceClient(certificate,StoreName.My,null, instanceUri, true, null, clientId, null, null)) and I get the following error:

Microsoft.PowerPlatform.Dataverse.Client.Utils.DataverseConnectionException
  HResult=0x80131500
  Message=Failed to connect to Dataverse
  Source=Microsoft.PowerPlatform.Dataverse.Client
  StackTrace:
   at Microsoft.PowerPlatform.Dataverse.Client.ServiceClient.CreateServiceConnection(Object externalOrgServiceProxy, AuthenticationType requestedAuthType, String hostName, String port, String orgName, NetworkCredential credential, String userId, SecureString password, String domain, String Geo, String claimsHomeRealm, Boolean useSsl, Boolean useUniqueInstance, OrganizationDetail orgDetail, String clientId, Uri redirectUri, PromptBehavior promptBehavior, OrganizationWebProxyClientAsync externalOrgWebProxyClient, String certificateThumbPrint, StoreName certificateStoreName, X509Certificate2 certificate, Uri instanceUrl, Boolean isCloned, Boolean useDefaultCreds, Version incomingOrgVersion, ILogger externalLogger, String tokenCacheStorePath)
   at Microsoft.PowerPlatform.Dataverse.Client.ServiceClient..ctor(X509Certificate2 certificate, StoreName certificateStoreName, String certificateThumbPrint, Uri instanceUrl, Boolean useUniqueInstance, OrganizationDetail orgDetail, String clientId, Uri redirectUri, ILogger logger)
   at ReadCRMREST.QueryCRM.Run(HttpRequestData req) in C:\Users\ofgal\source\repos\SP2CRM\ReadCRMREST\QueryCRM.cs:line 37
   at Microsoft.Azure.Functions.Worker.Invocation.MethodInvokerWithReturnValue`2.InvokeAsync(TReflected instance, Object[] arguments)
   at Microsoft.Azure.Functions.Worker.Invocation.DefaultFunctionInvoker`2.InvokeAsync(Object instance, Object[] arguments)
   at Microsoft.Azure.Functions.Worker.Invocation.DefaultFunctionExecutor.<ExecuteAsync>d__4.MoveNext()
  This exception was originally thrown at this call stack:
    [External Code]
Inner Exception 1:
AggregateException: One or more errors occurred. (The certificate certificate does not have a private key. )
Inner Exception 2:
MsalClientException: The certificate certificate does not have a private key. 

the certificate is self-signed created by the Azure Key Vault. I do not see anywhere a private key. What should I change to get it to work?

Thanks

[MattB-msft]

This has to do with the way KV stores certs.

Did you happen to see this post on this problem? https://stackoverflow.com/questions/51451902/azure-key-vault-certificates-does-not-have-the-private-key-when-retrieved-via-ik

[MattB-msft]

Going to close this as this appears to be a quirk with the way KV works in conjunction with current KV Clients.