If you are creating an Azure AD app with app only permissions, or a so called deamon app, you need to use a certificate. One option would be to create a self signed certificate. In most blog posts they use the deprecated makecert tool. If you haven’t used this before, it can be a bit hard to come by.
The alternative is to use PowerShell commandlets. So far I’ve seen some samples but not one complete script that does it all. Here I would like to share the script I use:
$certFriendlyName = "name.domain.com"
$certPassword = "youruniquepassword"
$certLocation = "C:\Temp\certificate.pfx"
$date = Get-Date
$certEndDate = $date.AddYears(1)
$certNotAfter = $certEndDate.AddYears(1)
$securePassword = (ConvertTo-SecureString -String $certPassword -Force -AsPlainText)
$certificate = New-SelfSignedCertificate -Type Custom -FriendlyName $certFriendlyName -Subject $certFriendlyName -KeyLength 2048 -KeyExportPolicy Exportable -Provider "Microsoft Software Key Storage Provider" -NotAfter $certNotAfter
Export-PfxCertificate -cert "Cert:\LocalMachine\My\$($certificate.Thumbprint)" -FilePath $certLocation -Password $securePassword
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certLocation, $certPassword)
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)
$base64Thumbprint = [System.Convert]::ToBase64String($cer.GetCertHash())
$keyid = [System.Guid]::NewGuid().ToString()
Write-Host "Please store the following information" -ForegroundColor Yellow
Write-Host "You can find the private certificate under $($certLocation)"
Write-Host "KeyId: $($keyid)"
Write-Host "Base64 value: $($base64Value)"
Write-Host "Base64 thumbprint: $($base64Thumbprint)"
After you’ve run the script, you can copy paste the results in your Azure AD manifest files.