Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, makecert/self-signed certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with makecert.exe and exporting it for use with Azure AD.
Open Visual Studio Tools Command Prompt.
Run makecert.exe with the following syntax:
makecert -r -pe -n "CN=SearchTechnologies SPOnline Cert" -b 10/15/2016 -e 10/15/2018 -ss my -len 2048
Open Windows PowerShell and run the following commands:
$certPath = <Path to Cert> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert.Import($certPath) $rawCert = $cert.GetRawCertData() $base64Cert = [System.Convert]::ToBase64String($rawCert) $rawCertHash = $cert.GetCertHash() $base64CertHash = [System.Convert]::ToBase64String($rawCertHash) $KeyId = [System.Guid]::NewGuid().ToString() Write-Host $base64Cert Write-Host $base64CertHash Write-Host $KeyId
Update the keyCredentials attribute with the following settings:
"keyCredentials": [ { "customKeyIdentifier": "<$base64CertHash FROM ABOVE>", "keyId": "<$KeyId FROM ABOVE>", "type": "AsymmetricX509Cert", "usage": "Verify", "value": "<$base64Cert FROM ABOVE>" } ],
Save the updated manifest.
Extract pem key
openssl pkcs12 -nocerts -in <PFX Path> -out <PEM Path>
Convert extracted pem key to der format
openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM Path> -out <DER Path> -nocrypt