Skip to main content

[en] Create Certificate for SharePoint List App-Only Authentication

[en] To enable SharePoint List app-only authentication, you need to create a certificate, upload it to Azure portal, and obtain a private key.

[en] To create a certificate…

  1. [en] Create an empty folder on your computer.

  2. [en] Create a text file in the folder.

  3. [en] Copy the PowerShell script from the Granting access via Azure AD App-Only page and paste it into the text file.

  4. [en] Rename the text file to:

    Create-SelfSignedCertificate.ps1

  5. [en] Run Windows PowerShell in the folder.

  6. [en] Go to the directory which contains the text file. Otherwise, the next step will fail.

  7. [en] Copy the command:

    .\Create-SelfSignedCertificate.ps1 -CommonName "myCertificate" -StartDate 2022-09-25 -EndDate 2023-10-25

    [en] The CommonName value in quotes is the name of the certificate which we’re creating. Enter a unique name for this value. Change the StartDate to the current date and the EndDate to a date of your choice.

  8. [en] Paste the copied command with your changes to Windows PowerShell and then press Enter.

    [en] Windows PowerShell will prompt Enter the password to protect Private Key.

    [en] Make sure you always remember the password as it is very important in later steps.

  9. [en] Windows PowerShell creates 2 files: MyCertificate.pfx and MyCertificate.cer.

[en] To upload your certificate to Azure portal…

  1. [en] Sign in to Azure Portal and register a new application with these parameters:

    [en] Name: Name of you choice.

    [en] Supported account types: Accounts in this organizational directory only (Account name only - Single tenant).

  2. [en] Go to API Permissions > Add permission > Request API permissions > SharePoint.

  3. [en] Select Application permissions and then add your required permissions.

  4. [en] Select Grant admin consent and then select Yes.

  5. [en] When you complete the previous steps, go to Certificates & Secrets. Don’t add Client Secrets in the app as it interferes with the certificate-based authentication flow.

  6. [en] Select Upload Certificate and then upload your CER certificate from your computer. After the upload finishes, select Add.

  7. [en] Go to Manifest, find KeyCredentials and then copy the customKeyIdentifier as the Thumbprint. You will use this later. You've now registered the app and linked the certificate.

[en] To obtain a private key, convert the PFX file to a PEM file using OpenSSL.

  1. [en] Run the Command Prompt.

  2. [en] Go to the folder with your PFX file and run this command:

    openssl pkcs12 -in MyCertificate.pfx -out MyCertificate.pem -nodes

  3. [en] Enter the PFX password which you used in step 8 of the certificate creation process.

  4. [en] Open the PEM file in Notepad and copy the private key including

    -----BEGIN PRIVATE KEY-----

    [en] to

    -----END PRIVATE KEY-----

[en] To finish the setup...

  1. [en] Copy the ClientID and TentantID from the newly registered app in the Azure portal.

  2. [en] Once you have all of these 4 credentials, you can sign in with SharePoint List Service Principal authentication.

    1. [en] Client ID

    2. [en] Tenant ID

    3. [en] Thumbprint

    4. [en] Private key

: