Skip to main content

Create Certificate for SharePoint List App-Only Authentication

To enable SharePoint List app-only authentication, you need to create a certificate, upload it to Azure portal, and obtain a private key.

To create a certificate…

  1. Create an empty folder on your computer.

  2. Create a text file in the folder.

  3. Copy the PowerShell script from the Granting access via Azure AD App-Only page and paste it into the text file.

  4. Rename the text file to:

  5. Run Windows PowerShell in the folder.

  6. Go to the directory which contains the text file. Otherwise, the next step will fail.

  7. Copy the command:

    .\Create-SelfSignedCertificate.ps1 -CommonName "myCertificate" -StartDate 2022-09-25 -EndDate 2023-10-25

    The CommonName value in quotes is the name of the certificate which we’re creating. Enter a unique name for this value. Change the StartDate to the current date and the EndDate to a date of your choice.

  8. Paste the copied command with your changes to Windows PowerShell and then press Enter.

    Windows PowerShell will prompt Enter the password to protect Private Key.

    Make sure you always remember the password as it is very important in later steps.

  9. Windows PowerShell creates 2 files: MyCertificate.pfx and MyCertificate.cer.

To upload your certificate to Azure portal…

  1. Sign in to Azure Portal and register a new application with these parameters:

    Name: Name of you choice.

    Supported account types: Accounts in this organizational directory only (Account name only - Single tenant).

  2. Go to API Permissions > Add permission > Request API permissions > SharePoint.

  3. Select Application permissions and then add your required permissions.

  4. Select Grant admin consent and then select Yes.

  5. When you complete the previous steps, go to Certificates & Secrets. Don’t add Client Secrets in the app as it interferes with the certificate-based authentication flow.

  6. Select Upload Certificate and then upload your CER certificate from your computer. After the upload finishes, select Add.

  7. Go to Manifest, find KeyCredentials and then copy the customKeyIdentifier as the Thumbprint. You will use this later. You've now registered the app and linked the certificate.

To obtain a private key, convert the PFX file to a PEM file using OpenSSL.

  1. Run the Command Prompt.

  2. Go to the folder with your PFX file and run this command:

    openssl pkcs12 -in MyCertificate.pfx -out MyCertificate.pem -nodes
  3. Enter the PFX password which you used in step 8 of the certificate creation process.

  4. Open the PEM file in Notepad and copy the private key including

    -----BEGIN PRIVATE KEY-----


    -----END PRIVATE KEY-----

To finish the setup...

  1. Copy the ClientID and TentantID from the newly registered app in the Azure portal.

  2. Once you have all of these 4 credentials, you can sign in with SharePoint List Service Principal authentication.

    1. Client ID

    2. Tenant ID

    3. Thumbprint

    4. Private key