Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, cmdlet New-SelfSignedCertificate certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with cmdlet New-SelfSignedCertificate and exporting it for use with Azure AD.
Part 1: Generate a Self-signed Certificate
Option A: With PowerShell:
Open Windows PowerShell ISE.
Create a PowerShell script with the following content: