Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, makecert/self-signed cmdlet New-SelfSignedCertificate certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with makecert.exe cmdlet New-SelfSignedCertificate and exporting it for use with Azure AD.
Open Visual Studio Tools Command Prompt.
Info |
---|
Note: for Windows 10 you may have to download the Windows 10 SDK to get the makecert application. |
Windows PowerShell ISE.
Create a PowerShell script with the following contentRun makecert.exe with the following syntax:
Code Block | ||||
---|---|---|---|---|
| ||||
makecert $cert = New-rSelfSignedCertificate -peDnsName www.mysite.com -n "CN=SearchTechnologies SPOnline CertCertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange" -bNotBefore 10/15/20162019 -eNotAfter 10/15/2018 -ss my -len 2048 |
Open Windows PowerShell and run the following commands:
Code Block | ||
---|---|---|
| ||
$certPath = <Path to Cert>
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($certPath)
$rawCert = $cert.GetRawCertData()
$base64Cert = [System.Convert]::ToBase64String($rawCert)
$rawCertHash = $cert.GetCertHash()
$base64CertHash = [System.Convert]::ToBase64String($rawCertHash)
$KeyId = [System.Guid]::NewGuid().ToString()
Write-Host $base64Cert
Write-Host $base64CertHash
Write-Host $KeyId |
...
2021
$password
= ConvertTo-SecureString -String "mySecurePassword" -Force -AsPlainText
Export-PfxCertificate
-Cert $cert -FilePath ".\aspire.mysite.com.pfx" -Password $password
Export-Certificate
-Type CERT -Cert $cert -FilePath .\aspire.mysite.com.cer
|
...
Info |
---|
On the Configure section you'll also see the Client Application ID. Copy and save this ID, you are going to need it when configuring the connector. |
...
...
Update the keyCredentials attribute with the following settings:
Code Block | ||||
---|---|---|---|---|
| ||||
"keyCredentials": [
{
"customKeyIdentifier": "<$base64CertHash FROM ABOVE>",
"keyId": "<$KeyId FROM ABOVE>",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": "<$base64Cert FROM ABOVE>"
}
], |
Save the updated manifest and upload it back into Windows Azure using the same Manage Manifest button in the footer (select "Upload Manifest" this time)
Info |
---|
Note: If you try to download the manifest again, you'll notice that the expiration dates are now there and the cert value is now null. This is normal and it shouldn't prevent the app to work as expected. |
...
Info |
---|
You may need to download OpenSSL for Windows to follow these steps. |
...