App Proxy Custom Domain Certificate


I’m hoping that there’s a powershell wiz who’s able to give me a little bit of assistance on a Post Deployment Script that I’m trying to develop and get working. It’s 90% there, just failing at the last hurdle.

I’m trying to get Certify the Web to upload a certificate to Azure Application Proxy. I’ve got the script to the stage where it adds a password to the pfx file passed to it from Certify, and connects to AzureAD without a problem, and I can even get the ObjectID from Azure which suggests that it’s connected OK. However when I’m running the Set-AzureADApplicationProxyApplicationCustomDomainCertificate module, I’m getting an ‘Object reference not set to an instance of an object’ error. Now this is happening both when I’m running the script and when I’m running through the steps manually as well.

Any help would be appreciated.




set-alias ps64 “$env:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe”

ps64 -args $result -command {

$result = $args[0]

#Certificate Location Passed from CertifyTheWeb Application
$pfxpath = $result.ManagedItem.CertificatePath
#Location of the new certificate
$pfxNewPath = “c:\scripts\remotedesktop.pfx”

#Gets the Certificate passed Location Passed above
$mypfx = Get-PfxData -FilePath $pfxpath

#Text String to password protect the cert
$PfxPassword = ConvertTo-SecureString -String [REMOVED] -AsPlainText -Force

#Export the provided certificate to a new file with password protection (needed to be able to upload to Azure Application Proxy)
Export-PfxCertificate -PFXData $mypfx -FilePath $pfxNewPath -Password $PfxPassword

#Connect to AzureAD by obtaining a new refresh token

The refresh token


Tenant id and account id

$tenant_id = “[REMOVED]”
$account = “[REMOVED]”

1b730954-1685-4b74-9bfd-dac224a7b894 is a public client from Microsoft

$clientId = “1b730954-1685-4b74-9bfd-dac224a7b894”
$uri = “${tenant_id}/oauth2/token
$body = @{grant_type=‘refresh_token’;resource=‘’;client_id=$clientId;refresh_token=$refresh_token}
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $body
$accessToken = $result.access_token

Connect to AAD using the above details

Connect-AzureAD -TenantId $tenant_id -AadAccessToken $accessToken -AccountId $account

#Gets the AzureADApplication Object ID for the Remote Desktop App
$WebsiteAppName = “Remote Desktop”

$webAppId = (Get-AzureADApplication -SearchString $WebsiteAppName -ea Stop).ObjectId

Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $webAppId
-PfxFilePath $pfxNewPath `
-Password $PfxPassword

#Disconnects from Azure AD and cleans up Password Protected PFX file as no longer needed.
Remove-Item $pfxNewPath



I’m not a powershell expert but things to check:
- - I noticied you’re using SearchString instead of filter- is $webAppId getting the expected value?

If your print the values to the console then try to just run that line manually does it work?

If could avoid copying the pfx file out with a new password by using the new Pfx password functionality (Settings > UI Settings > Custom PFX/Private key password and setting the password under Certificate > Advanced > Signing and Security)

Why are you using the ps64 wrapper? You maybe don’t need that as powershell is 64-bit by default from v4.x onwards of Certify:

set-alias ps64 “$env:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe”

ps64 -args $result -command {

$result = $args[0]

Hi Christopher

Thanks for the advice, it’s based on a script I found to update a LE Cert into the 4 Remote Desktop components hence the ps64 bit. I just remove the Remote Desktop bits and started adding the bits I needed piece by piece.

I tried using the pxf password in CTW, however it just kept erroring.

Ye I’ve printed all of the variables out, and they’re the values that I’m expecting, apart from the pxf password which you can’t print it easily so tried by installing the certificate manually into azure, with the password as set in the script and it worked soo it’s looking like it’s all down to the Set-AzureADApplica… cmdlet. Have logged with Microsoft support so will wait to hear back from them.

I have tried manually running it and it comes up with the same error message. :confused:



Note that when using the pfx password option you need to re-request the certificate as your existing stored cert won’t have the pfx password set.

When the script runs its not running as your user account, it’s running as the certify background service which is local system. You can modify this by running the task as a different user under the task parameters tab.