Versions Compared

Old Version 1

changes.mady.by.user Julian Ramirez

Saved on

compared with

New Version Current

changes.mady.by.user David Solano Araya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, makecert/self-signed cmdlet New-SelfSignedCertificate certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with makecert.exe cmdlet New-SelfSignedCertificate and exporting it for use with Azure AD.

Part 1: Generate a Self-signed Certificate

  1. Open Visual Studio Tools Command Prompt.

    Info
    Note: for Windows 10 you may have to download the Windows 10 SDK to get the makecert application.

    Windows PowerShell ISE.

  2. Create a PowerShell script with the following contentRun makecert.exe with the following syntax:

    Code Block
    languagetextpowershell
    themeRDark
    makecert $cert = New-rSelfSignedCertificate -peDnsName www.mysite.com -n "CN=SearchTechnologies SPOnline CertCertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange" -bNotBefore 10/15/20162019 -eNotAfter 10/15/2018 -ss my -len 2048
  3. Run mmc.exe
  4. Go to File → Add/Remove Snap In
  5. Add Certificates → My User Account
  6. Locate the certificate from step 2 in the Personal certificate store
  7. Right-click and select All tasks >> Export
  8. Complete the Certificate Export Wizard twice: once with the private key (specify a password and save as .pfx) and once without the private key (save as .cer)

Part 2: Prepare the certificate public key for Azure AD

  1. Open Windows PowerShell and run the following commands:

    Code Block
    languagepowershell
    $certPath = <Path to Cert>
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($certPath)
$rawCert = $cert.GetRawCertData()
$base64Cert = [System.Convert]::ToBase64String($rawCert)
$rawCertHash = $cert.GetCertHash()
$base64CertHash = [System.Convert]::ToBase64String($rawCertHash)
$KeyId = [System.Guid]::NewGuid().ToString()
Write-Host $base64Cert
Write-Host $base64CertHash
Write-Host $KeyId
  2. Copy the values output for $base64Cert, $base64CertHash, and $KeyId for Part 4
  1. 2021 
 $password
 = ConvertTo-SecureString -String "mySecurePassword" -Force -AsPlainText
 Export-PfxCertificate
 -Cert $cert -FilePath ".\aspire.mysite.com.pfx" -Password $password
 Export-Certificate
 -Type CERT -Cert $cert -FilePath .\aspire.mysite.com.cer
  2. Update the value for -DnsName.
  3. Update the values for -NotBefore and -NotAfter .
  4. Update the password value.
  5. Update the -FilePath value for the cer and pfx files.
  6. Additional information about these parameters can be found in the New-SelfSignedCertificate page.
  7. Execute the PowerShell script. You need administrator permissions to successfully execute the script.
  8. Both files should be created in the specified location.

Part 2

...

: Create the Azure AD Application

  1. Log into the Azure Management Portal and go to the Azure Active Directory for your Office 365 tenant.
  2. Go to the Applications Azure Active Directory tab and select click the add button in the footer to manually add an Application
  3. Select "Add an application my organization is developing"
  4. App Registrations.
  5. Select "New Registration".
  6. On "Supported account types" select "Accounts in this organizational directory only ".
  7. On "Redirect URI" select Web.Give the application a name, keep the default selection of "Web Application and/or Web API" and click the next arrow
  8. Enter a Sign-on URL and App ID Uri (values of these don’t (the value of this doesn’t really matter other than being unique) and click next to create the application
  9. Click on the "Configure" tab and scroll to the bottom of the page to the section titled "Permissions to other applications"
  10. Click on "Add Application"
  11. Add the "Office 365 SharePoint Online" application
  12. "Register".
  13. Look for your new application on the Registered Applications list and click it.
  14. Go to API Permissions and click on "Add a permission".
  15. On the "Select an API" section, add the "SharePoint" application
  16. Select "Application Permissions" and check the following permissions:
    1. TermStore.Read.All: Read Managed Metadata.
    2. Sites.FullControl.All:
    On Application Permissions, select the following:
    1. Read Managed Metadata.
    2. Have Full Control of all Site Collections.
    3. Sites.Read.All: Read Items in all Site Collections. 

...

  2. Click on "Add permissions".
  3. After saving you have to click "Grant admin consent" to apply the changes.
Info
On the Configure section you'll also see the Application ID. Copy and save this ID, you are going to need it when configuring the connector.

Part 3: Configure certificate public key for App

...

  1. Go to "Certificates and secrets".
  2. Click on "Upload certificate".
  3. Select the certificate created on Part 1.
  4. Add the certificate.

Part 4: Generate Private Key

Info
You may need to download OpenSSL for Windows to follow these steps.

  1. Extract pem key

  2. Click the Manage Manifest button in the footer and select "Download Manifest" to save the app manifest locally
  3. Open the downloaded manifest file and locate the empty keyCredentials attribute

  4. Update the keyCredentials attribute with the following settings:

    Code Block
    languagetext
    themeRDark
    "keyCredentials": [
	{
		"customKeyIdentifier": "<$base64CertHash FROM ABOVE>",
		"keyId": "<$KeyId FROM ABOVE>",
		"type": "AsymmetricX509Cert",
		"usage": "Verify",
		"value": "<$base64Cert FROM ABOVE>"
	}
],

  5. Save the updated manifest and upload it back into Windows Azure using the same Manage Manifest button in the footer (select "Upload Manifest" this time)

    Info
    Note: If you try to download the manifest again, you'll notice that the expiration dates are now there and the cert value is now null. This is normal and it shouldn't prevent the app to work as expected.
  6. openssl pkcs12 -nocerts -in <PFX Path> -out <PEM Path>

  7. Convert extracted pem key to der format

    Code Block
    languagetext
    themeRDark
    openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM Path> -out <DER Path> -nocrypt
    Everything should now be setup in Azure AD for the app to run in the background and get app-only access tokens from Azure AD.