Learn Build status updates of commit 676cbd7:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

• Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed] Failed to load file: C:/LocalRun/W/fyao-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

hi @tomatsue, could you please elaborate on why you believe reversing the byte order is unnecessary?
The code is written to match the behavior of certutil –dump –v $cert ensuring that we return the SerialNumber in the same encoding format.

The GetSerialNumber() method returns the serial number of an X.509v3 certificate as a byte array in little-endian format. This is documented in the official .NET documentation:
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate.getserialnumber?view=net-5.0#system-security-cryptography-x509certificates-x509certificate-getserialnumber

However, for certificate-based authentication—specifically for the certificateUserIds configuration—the serial number must be in big-endian format to follow the original format that you would see with certutil. That’s why we reverse the byte array returned by GetSerialNumber()
.NET also offers the SerialNumber property, which returns the serial number as a string in big-endian format, eliminating the need for manual reversal. But in your PR suggestion, I didn’t see a switch to using SerialNumber, which would justify removing the reversal logic.

Hi @thadumi, thank you for checking. I've found a problem in the results of Get-EntraUserCertificateUserIdsFromCertificate. This command returns the IssuerAndSerialNumber value — for example, "X509:DC=com,DC=contoso,CN=CONTOSO-DC-CAeF3gH4iJ5kL6mN7oP8qR9sV0uD". This is supposed to be used as the certificateUserId value in Entra CBA. However, the value won't work in this case because Entra CBA expects the serial number to be a string in little-endian format. Please refer to the following document.
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication#issuer-and-serial-number-manual-mapping

In the example above, Get-EntraUserCertificateUserIdsFromCertificate must return "X509:C=US,O=U.SGovernment,OU=DoD,OU=PKI,OU=CONTRACTOR,CN=CRL.BALA.SelfSignedCertificate b24134139f069b49997212a86ba0ef48", which doesn't match the SerialNumber of certutil –dump –v $cert. That's why I believe reversing the byte order is unnecessary.