Hello @EnterpriseArchitect,
Thank you for posting your query on Microsoft Q&A.
It appears you're trying to configure certificate-based authentication (CBA) using a wildcard SSL app service certificate for break glass accounts.
Typically, with a wildcard SSL app service certificate, you won't receive the Root CA, Intermediate, or Issuer certificates. To configure CBA for any account, you'll need to obtain these from a certification authority (CA) in .cer format, along with the public key. The CA certificate should include both the Intermediate and Issuer certificates to assign it to a user account. Once you have the Root and Intermediate certificates, you can upload the Root CA certificate under certification authorities in Microsoft Entra ID.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.