Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, makecert/self-signed certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with makecert.exe and exporting it for use with Azure AD.
Part 1: Generate a Self-signed Certificate
Open Visual Studio Tools Command Prompt.
Run makecert.exe with the following syntax:
makecert -r -pe -n "CN=SearchTechnologies SPOnline Cert" -b 10/15/2016 -e 10/15/2018 -ss my -len 2048
- Run mmc.exe
- Go to File → Add/Remove Snap In
- Add Certificates → My User Account
- Locate the certificate from step 2 in the Personal certificate store
- Right-click and select All tasks >> Export
- Complete the Certificate Export Wizard twice: once with the private key (specify a password and save as .pfx) and once without the private key (save as .cer)
Part 2: Create the Azure AD Application
- Log into the Azure Management Portal for your Office 365 tenant.
- Go to the Azure Active Directory tab and select App Registrations.
- Select "New Registration".
- On "Supported account types" select "Accounts in this organizational directory only ".
- On "Redirect URI" select Web.
- Enter a Sign-on URL (the value of this doesn’t really matter other than being unique) and click "Register".
- Look for your new application on the Registered Applications list and click it.
- Go to API Permissions and click on "Add a permission".
- On the "Select an API" section, add the "SharePoint" application
- Select "Application Permissions" and check the following permissions:
- TermStore.Read.All: Read Managed Metadata.
- Sites.FullControl.All: Have Full Control of all Site Collections.
- Sites.Read.All: Read Items in all Site Collections.
- Click on "Add permissions".
- After saving you have to click "Grant admin consent" to apply the changes.
- Go to "Certificates and secrets".
- Click on "Upload certificate".
- Select the certificate created on Part 1.
- Add the certificate.
Part 4: Generate Private Key
Extract pem key
openssl pkcs12 -nocerts -in <PFX Path> -out <PEM Path>
Convert extracted pem key to der format
openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM Path> -out <DER Path> -nocrypt