f

carlospolop · carlospolop · commit a539034c29da · 2026-02-05T13:15:58.000+01:00
diff --git a/src/pentesting-cloud/azure-security/az-enumeration-tools.md b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
@@ -122,6 +122,190 @@ $env:HTTP_PROXY="http://127.0.0.1:8080"
 {{#endtab }}
 {{#endtabs }}
 
+<details>
+<summary><strong>Fixing “CA cert does not include key usage extension”</strong></summary>
+
+### Why the error happens
+
+When Azure CLI authenticates, it makes HTTPS requests (via MSAL → Requests → OpenSSL). If you’re intercepting TLS with Burp, Burp generates “on the fly” certificates for sites like `login.microsoftonline.com` and signs them with Burp’s CA.
+
+On newer stacks (Python 3.13 + OpenSSL 3), CA validation is stricter:
+
+- A CA certificate must include **Basic Constraints: `CA:TRUE`** and a **Key Usage** extension permitting certificate signing (**`keyCertSign`**, and typically **`cRLSign`**).
+
+Burp’s default CA (PortSwigger CA) is old and typically lacks the Key Usage extension, so OpenSSL rejects it even if you “trust it”.
+
+That produces errors like:
+
+- `CA cert does not include key usage extension`
+- `CERTIFICATE_VERIFY_FAILED`
+- `self-signed certificate in certificate chain`
+
+So you must:
+
+1. Create a modern CA (with proper Key Usage).
+2. Make Burp use it to sign intercepted certs.
+3. Trust that CA in macOS.
+4. Point Azure CLI / Requests to that CA bundle.
+
+### Step-by-step: working configuration
+
+#### 0) Prereqs
+
+- Burp running locally (proxy at `127.0.0.1:8080`)
+- Azure CLI installed (Homebrew)
+- You can `sudo` (to trust the CA in the system keychain)
+
+#### 1) Create a standards-compliant Burp CA (PEM + KEY)
+
+Create an OpenSSL config file that explicitly sets CA extensions:
+
+```bash
+mkdir -p ~/burp-ca && cd ~/burp-ca
+
+cat > burp-ca.cnf <<'EOF'
+[ req ]
+default_bits       = 2048
+prompt             = no
+default_md         = sha256
+distinguished_name = dn
+x509_extensions    = v3_ca
+
+[ dn ]
+C  = US
+O  = Burp Custom CA
+CN = Burp Custom Root CA
+
+[ v3_ca ]
+basicConstraints = critical,CA:TRUE
+keyUsage = critical,keyCertSign,cRLSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+EOF
+```
+
+Generate the CA certificate + private key:
+
+```bash
+openssl req -x509 -new -nodes \
+  -days 3650 \
+  -keyout burp-ca.key \
+  -out burp-ca.pem \
+  -config burp-ca.cnf
+```
+
+Sanity check (you MUST see Key Usage):
+
+```bash
+openssl x509 -in burp-ca.pem -noout -text | egrep -A3 "Basic Constraints|Key Usage"
+```
+
+Expected to include something like:
+
+- `CA:TRUE`
+- `Key Usage: ... Certificate Sign, CRL Sign`
+
+#### 2) Convert to PKCS#12 (Burp import format)
+
+Burp needs certificate + private key, easiest as PKCS#12:
+
+```bash
+openssl pkcs12 -export \
+  -out burp-ca.p12 \
+  -inkey burp-ca.key \
+  -in burp-ca.pem \
+  -name "Burp Custom Root CA"
+```
+
+You’ll be prompted for an export password (set one; Burp will ask for it).
+
+#### 3) Import the CA into Burp and restart Burp
+
+In Burp:
+
+- Proxy → Options
+- Find Import / export CA certificate
+- Click Import CA certificate
+- Choose PKCS#12
+- Select `burp-ca.p12`
+- Enter the password
+- Restart Burp completely (important)
+
+Why restart? Burp may keep using the old CA until restart.
+
+#### 4) Trust the new CA in macOS system keychain
+
+This allows system apps and many TLS stacks to trust the CA.
+
+```bash
+sudo security add-trusted-cert \
+  -d -r trustRoot \
+  -k /Library/Keychains/System.keychain \
+  ~/burp-ca/burp-ca.pem
+```
+
+(If you prefer GUI: Keychain Access → System → Certificates → import → set “Always Trust”.)
+
+#### 5) Configure proxy env vars
+
+```bash
+export HTTPS_PROXY="http://127.0.0.1:8080"
+export HTTP_PROXY="http://127.0.0.1:8080"
+```
+
+#### 6) Configure Requests/Azure CLI to trust your Burp CA
+
+Azure CLI uses Python Requests internally; set both of these:
+
+```bash
+export REQUESTS_CA_BUNDLE="$HOME/burp-ca/burp-ca.pem"
+export SSL_CERT_FILE="$HOME/burp-ca/burp-ca.pem"
+```
+
+Notes:
+
+- `REQUESTS_CA_BUNDLE` is used by Requests.
+- `SSL_CERT_FILE` helps for other TLS consumers and edge cases.
+- You typically do not need the old `ADAL_PYTHON_SSL_NO_VERIFY` / `AZURE_CLI_DISABLE_CONNECTION_VERIFICATION` once the CA is correct.
+
+#### 7) Verify Burp is actually signing with your new CA (critical check)
+
+This confirms your interception chain is correct:
+
+```bash
+openssl s_client -connect login.microsoftonline.com:443 \
+  -proxy 127.0.0.1:8080 </dev/null 2>/dev/null \
+  | openssl x509 -noout -issuer
+```
+
+Expected issuer contains your CA name, e.g.:
+
+`O=Burp Custom CA, CN=Burp Custom Root CA`
+
+If you still see PortSwigger CA, Burp is not using your imported CA → re-check import and restart.
+
+#### 8) Verify Python Requests works through Burp
+
+```bash
+python3 - <<'EOF'
+import requests
+requests.get("https://login.microsoftonline.com")
+print("OK")
+EOF
+```
+
+Expected: `OK`
+
+#### 9) Azure CLI test
+
+```bash
+az account get-access-token --resource=https://management.azure.com/
+```
+
+If you’re already logged in, it should return JSON with an `accessToken`.
+
+</details>
+
 ### Az PowerShell
 
 Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
