You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 4
Next »
Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, makecert/self-signed certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with makecert.exe and exporting it for use with Azure AD.
Part 1: Generate a Self-signed Certificate
Open Visual Studio Tools Command Prompt.
Run makecert.exe with the following syntax:
makecert -r -pe -n "CN=SearchTechnologies SPOnline Cert" -b 10/15/2016 -e 10/15/2018 -ss my -len 2048
- Run mmc.exe
- Go to File → Add/Remove Snap In
- Add Certificates → My User Account
- Locate the certificate from step 2 in the Personal certificate store
- Right-click and select All tasks >> Export
- Complete the Certificate Export Wizard twice: once with the private key (specify a password and save as .pfx) and once without the private key (save as .cer)
Part 2: Prepare the certificate public key for Azure AD
Open Windows PowerShell and run the following commands:
$certPath = <Path to Cert>
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($certPath)
$rawCert = $cert.GetRawCertData()
$base64Cert = [System.Convert]::ToBase64String($rawCert)
$rawCertHash = $cert.GetCertHash()
$base64CertHash = [System.Convert]::ToBase64String($rawCertHash)
$KeyId = [System.Guid]::NewGuid().ToString()
Write-Host $base64Cert
Write-Host $base64CertHash
Write-Host $KeyId
- Copy the values output for $base64Cert, $base64CertHash, and $KeyId for Part 4
Part 3: Create the Azure AD Application
- Log into the Azure Management Portal and go to the Azure Active Directory for your Office 365 tenant.
- Go to the Azure Active Directory tab and select App Registrations.
- Select "New Application Registration".
- Give the application a name, keep the default selection of "Web Application and/or Web API" and click the next arrow
- Enter a Sign-on URL and App ID Uri (values of these don’t really matter other than being unique) and click next to create the application
- Click on the "Configure" tab and scroll to the bottom of the page to the section titled "Permissions to other applications"
- Click on "Add Application"
- Add the "Office 365 SharePoint Online" application
- On Application Permissions, select the following:
- Read Managed Metadata.
- Have Full Control of all Site Collections.
- Read Items in all Site Collections.
- Click the Manage Manifest button in the footer and select "Download Manifest" to save the app manifest locally
- Open the downloaded manifest file and locate the empty keyCredentials attribute
Update the keyCredentials attribute with the following settings:
"keyCredentials": [
{
"customKeyIdentifier": "<$base64CertHash FROM ABOVE>",
"keyId": "<$KeyId FROM ABOVE>",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": "<$base64Cert FROM ABOVE>"
}
],
Save the updated manifest and upload it back into Windows Azure using the same Manage Manifest button in the footer (select "Upload Manifest" this time)
- Everything should now be setup in Azure AD for the app to run in the background and get app-only access tokens from Azure AD.
Part 5: Generate Private Key
Extract pem key
openssl pkcs12 -nocerts -in <PFX Path> -out <PEM Path>
Convert extracted pem key to der format
openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM Path> -out <DER Path> -nocrypt