From e980b412d0003d715ca26e294fd2204e51390692 Mon Sep 17 00:00:00 2001
From: Christian Staubli <christian.staubli@gmail.com>
Date: Fri, 2 Sep 2022 11:31:26 +0200
Subject: [PATCH] Find certificate by thumbprint in store

---
 Extensions/MSALAuthentication.psm1 | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/Extensions/MSALAuthentication.psm1 b/Extensions/MSALAuthentication.psm1
index 9b32237..5200043 100644
--- a/Extensions/MSALAuthentication.psm1
+++ b/Extensions/MSALAuthentication.psm1
@@ -573,7 +573,26 @@ function Connect-MSALClientApp
         }
         elseif($Certificate)
         {
-            $ClientApplicationBuilder = [Microsoft.Identity.Client.ConfidentialClientApplicationBuilder]::Create($clientId).WithCertificate($Certificate).WithAuthority([URI]::new($authority)) #.WithRedirectUri($redirectUri)
+            $f = [System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly
+            $cert = $null
+            # Try LocalMachine store first, if not found try also CurrentUser store
+            $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
+            $null = $store.Open($f)
+            $cert = $store.Certificates | Where-Object {$_.Thumbprint -eq $Certificate}
+            $null = $store.Close()
+            if($null -eq $cert)
+            {
+                $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "CurrentUser")
+                $null = $store.Open($f)
+                $cert = $store.Certificates | Where-Object {$_.Thumbprint -eq $Certificate}
+                $null = $store.Close()
+            }
+
+            if($null -eq $cert)
+            {
+                Write-LogError "Could not find a certificate with thumbprint '$($Certificate)' in LocalMachine or CurrentUser store"
+            }  
+            $ClientApplicationBuilder = [Microsoft.Identity.Client.ConfidentialClientApplicationBuilder]::Create($clientId).WithCertificate($cert).WithAuthority([URI]::new($authority)) #.WithRedirectUri($redirectUri)
         }
         else 
         {