Page History

Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, cmdlet New-SelfSignedCertificate certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with cmdlet New-SelfSignedCertificate and

export it for use with Azure AD.

Part 1: Generate a Self-signed Certificate

Option A: With PowerShell:

1. Open Windows PowerShell ISE.

2. Create a PowerShell script with the following content:

   Code Block
   language powershell theme RDark
   $cert = New-SelfSignedCertificate -DnsName www.mysite.com -CertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange" -NotBefore 10/15/2019 -NotAfter 10/15/2021 $password = ConvertTo-SecureString -String "mySecurePassword" -Force -AsPlainText Export-PfxCertificate -Cert $cert -FilePath ".\aspire.mysite.com.pfx" -Password $password Export-Certificate -Type CERT -Cert $cert -FilePath .\aspire.mysite.com.cer

3. Update the value for -DnsName.
4. Update the values for -NotBefore and -NotAfter .
5. Update the password value.
6. Update the -FilePath value for the cer and pfx files.
7. Additional information about these parameters can be found in the New-SelfSignedCertificate page.
8. Execute the PowerShell script. You need administrator permissions to successfully execute the script.
9. Both files should be created in the specified location.

Option B: With OpenSSL

1. Open the terminal

2. Create a private key

   Code Block
   language bash
   openssl genrsa -out key.pem 2048

3. Create certificate signing request

   Code Block
   openssl req -new -sha256 -key key.pem -out csr.csr

4. Create certificate

   Code Block
   openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

5. Create DER encoded CER file

   Code Block
   openssl x509 -inform PEM -in certificate.pem -outform DER -out certificate.cer

6. At the end, you will see the following files created:

   • key.pem
   • certificate.cer
   • certificate.pem
   • csr.csr
7. You will need the key.pem to generate the DER private key on Part 4 and certificate.cer for Part2

Part 2: Create the Azure AD Application

1. Log into the Azure Management Portal for your Office 365 tenant.
2. Go to the Azure Active Directory tab and select App Registrations.
3. Select "New Registration".
4. On "Supported account types" select "Accounts in this organizational directory only ".
5. On "Redirect URI" select Web.
6. Enter a Sign-on URL (the value of this doesn’t really matter other than being unique) and click "Register".
7. Look for your new application on the Registered Applications list and click it.
8. Go to API Permissions and click on "Add a permission".
9. On the "Select an API" section, add the "SharePoint" application
10. Select "Application Permissions" and check the following permissions:
    1. TermStore.Read.All: Read Managed Metadata.
    2. Sites.FullControl.All: Have Full Control of all Site Collections.
    3. Sites.Read.All: Read Items in all Site Collections.
11. Click on "Add permissions".
12. After saving, you have to click "Grant admin consent" to apply the changes.

Part 3: Configure certificate public key for App

1. Go to "Certificates and secrets".
2. Click on "Upload certificate".
3. Select the certificate created in Part 1 (.cer file).
4. Add the certificate.

Part 4: Generate Private Key

1. Extract pem key (only needed if generated with Powershell)

   Code Block
   language text theme RDark
   openssl pkcs12 -nocerts -in <PFX Path> -out <PEM Path>

2. Convert extracted pem key to der format

   Code Block
   language text theme RDark
   openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM Path> -out <DER Path> -nocrypt