Over a million developers have joined DZone.

Execution PowerShell Scripts in SharePoint Server to Create Certificate and Issuer ID

DZone's Guide to

Execution PowerShell Scripts in SharePoint Server to Create Certificate and Issuer ID

Take a look at this step-by-step guide that shows you how to create a self-signed certificate to access provider-hosted apps.

· Cloud Zone ·
Free Resource

Learn how to migrate and modernize stateless applications and run them in a Kubernetes cluster.

SharePoint provides add-ins, i.e. Provider Hosted App, SharePoint Hosted App. To create Provider Hosted App we require creating a Self-Signed Certificate in SharePoint Server. 

Why Self-Signed Certificate?

A Self-Signed certificate helps in development to give authentication to the provider-hosted app and SharePoint Server. If the vendor has purchased a certificate then they need to create an issuer ID in SharePoint Server and require it to attach the purchased certificate to the provider hosted app, which helps to authenticate the user to SharePoint Server.

Why a Provider Hosted-App?

Components that are deployed and hosted inside or outside of the SharePoint farm are easily incorporated in Provider-hosted apps for SharePoint. It also helps to write code in CSOM with .Net.

To create Self-Sign Certificate we need to follow these steps:

You need an X.509 digital certificate for the remote web application of your high-trust add-in. To fully test your SharePoint Add-in, you need a domain-issued certificate or a commercial certificate issued by a Certificate Authority. However, for the initial phase of debugging, you can use a self-signed certificate. For any more doubts or concerns, you can even connect to any SharePoint consultants or consultancy. 

The following procedure describes how to create and export a test certificate by using IIS. Below are Provider Hosted Scripts for Certificate & Token Issuer:

Step 1

Execute the below command in management shell and if required change certificate name and password.

$makecert = "C:\Program Files\Microsoft Office Servers\15.0\Tools\makecert.exe"
$certmgr = "C:\Program Files\Microsoft Office Servers\15.0\Tools\certmgr.exe"

# specify domain name for SSL certificate

$domain = "ProviderApp"

# create file name for SSL certificate files

$publicCertificatePath  =  $outputDirectory + $domain + ".cer"
$privateCertificatePath = $outputDirectory + $domain + ".pfx"


Write-Host "Creating .cer certificate file..."
& $makecert -r -pe -n "CN=$domain" -b 01/01/2012 -e 01/01/2022 -eku -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 $publicCertificatePath


Write-Host "Registering certificate with IIS..."
& $certmgr /add $publicCertificatePath /s /r localMachine root

# get certificate to obtain thumbprint

$publicCertificate = Get-PfxCertificate -FilePath $publicCertificatePath
$publicCertificateThumbprint = $publicCertificate.Thumbprint

Get-ChildItem cert:\\localmachine\my | Where-Object {$_.Thumbprint -eq $publicCertificateThumbprint} | ForEach-Object {
    Write-Host "  .. exporting private key for certificate (*.PFK)" -ForegroundColor Gray 
    $privateCertificateByteArray = $_.Export("PFX", "Password1")
    [System.IO.File]::WriteAllBytes($privateCertificatePath, $privateCertificateByteArray)
    Write-Host "  Certificate exported" -ForegroundColor Gray 

Step 2

Execute below code in management shell file to create Token Issuer
(Note – Make sure that the certificate name is same as the one which is already created in previously file. GUID must be in small letter.)

$issuerID = "44444444-5555-5555-5555-666666655555"
$realm = Get-SPAuthenticationRealm
$registeredIssuerName = $issuerID + '@' + $realm

Write-Host $registeredIssuerName 

$publicCertificatePath = "C:\Certs\ProviderApp.cer"
$publicCertificate = Get-PfxCertificate $publicCertificatePath

Write-Host "Create token issuer"
$secureTokenIssuer = New-SPTrustedSecurityTokenIssuer `
                     -Name $issuerID `
                     -RegisteredIssuerName $registeredIssuerName `
                     -Certificate $publicCertificate `

$secureTokenIssuer  | select * | Out-File -FilePath "SecureTokenIssuer.txt"
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
Write-Host "All done..."

Provider Hosted APP (SharePoint Add-In) Creation Demo

Registering APP in SharePoint Server and Hosting App in another Server. Follow below steps to register app.

Step 1

Create Register ID from SharePoint 2013 site:

  1. Open created developer site in browser
  2. Append _layouts/15/appregnew.aspx text in browser as below imageImage title
  3. Click on Generate button of App ID (code will automatically generate in textbox)
  4. Click on Generate button App Secret (code will automatically generate in textbox)
  5. Please fill remaining field (here you can change your domain name)
  6. Click on OK button.Image title
  7. All IDs will be displayed as in the below imageImage title
  8. Copy all ID and save it as notepad file. This will be changed in project’s web.config file.
Read More about Provider-Hosted App (SharePoint Add-In) Configuration in SharePoint Server 2013

Step 2

Create web application in IIS

  1. Open run command and type inetmgr or open IIS
  2. Right click on sites and select Add websiteImage title
  3. Fill the form as below and click on OK button:Image title

Join us in exploring application and infrastructure changes required for running scalable, observable, and portable apps on Kubernetes.

sharepoint ,sharepoint 2013 ,sharepoint server ,issuer id ,self signed certificate ,powershell script ,cloud

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}