#Prepare a Certificate for the Custom Azure App

This section details how to prepare self-signed certificate files (.cer/.crt file and .pfx file). The .cer/.crt file must be uploaded for the custom app in Microsoft Entra ID, and the .pfx file must be uploaded to AvePoint Online Services to consent to the app. For security, we recommend you use new certificate files to re-authorize apps, so you do not need to keep certificate files once they have been successfully uploaded.

To prepare self-signed certificate files based on your scenario, choose one of the following methods.

#Use a Key Vault in Azure to Prepare Certificates

Before preparing a certificate with this method, make sure you have a key vault in Azure. If you have an Azure subscription but do not have any key vaults, refer to the instructions in Create a Key Vault in Azure. Then follow the instructions below to prepare the certificate.

1. In the , navigate to Key vaults.

2. On the Key vaults page, select a key vault and then select Certificates in the left menu.

   

3. In the Certificates panel, click Generate/Import and complete the required fields. The screenshot below is a sample certificate.

   *Note: In the Content Type field, select PKCS #12.

   

4. Click Create and wait for the Status of the certificate to become Enabled. You can click Refresh to update the status if needed.

   

5. Click the name of the certificate, and then select the current version of the certificate.

6. Click Download in CER format and Download in PFX/PEM format to download the certificate files to your local machine.

   

7. When you have the certificate (.pfx file), you must set a password to protect the certificate.

   1. Open Windows PowerShell and paste the following script to Windows PowerShell. Replace [Full path to your PFX] with the full path of the certificate (.pfx file) in your local machine. Note that quotes are required when you enter the commands.

      $pfxPath=”[Full path to your PFX]” Export-PfxCertificate -Password $(Read-Host -AsSecureString -Prompt "Enter a password to protect the certificate") -PFXData $(Get-PfxData -FilePath $pfxPath) -FilePath $pfxPath

   2. Press Enter to execute the script.

   *Note: The .pfx file contains your private key.

After completing the steps above, you will get two certificate files:

#Use Windows PowerShell to Prepare Certificates

To create a self-signed certificate using Windows PowerShell, refer to the following steps:

*Note: The steps below are based on running Windows PowerShell on a machine with the Windows 10 or Windows 11 operating system.

1. Right-click Windows PowerShell on the machine and select Run as administrator from the drop-down list.

2. Refer to the following example to use the New-SelfSignedCertificate cmdlet to generate certificate files.

   $cert = New-SelfSignedCertificate -Subject CN=AvePointCustomApp -CertStoreLocation 'Cert:\CurrentUser\My' -NotAfter (Get-Date).AddMonths(24)

   Press Enter on the keyboard.

   *Note: If you want to customize the parameters in the command, refer to the information below.

   • Subject – This parameter specifies the subject of the certificate. It typically includes the Common Name (CN) which identifies the entity the certificate is issued to.

   • CertStoreLocation – This parameter specifies the certificate store in which to store the new certificate. You can choose between user-specific or machine-wide stores. For example, -CertStoreLocation 'Cert:\CurrentUser\My' for the current user or -CertStoreLocation 'Cert:\LocalMachine\My' for the local machine.

   • NotAfter – This parameter sets the expiration date of the certificate. The Get-Date cmdlet retrieves the current date and time, and AddMonths(24) adds 24 months to it, meaning the certificate will be valid for two years from the date of creation. If necessary, you can change the number of AddMonths.

3. Export the .crt (or .cer) file by entering the following command:

   Export-Certificate -Cert $cert -FilePath AvePointCustomApp.crt

   Note the following:

   • If you want to export a .cer file, replace the .crt with .cer in the cmdlet example above.

   • In this command, the file will be saved to the current working directory of the PowerShell session. If you want to specify a different directory, provide the full path by referring to the cmdlet example below:

     Export-Certificate -Cert $cert -FilePath "C:\Temp\AvePointCustomApp.crt"

4. Export the .pfx file with a password by entering the following command:

   Export-PfxCertificate -Password $(Read-Host -AsSecureString -Prompt "Enter a password to protect the certificate") -Cert $cert -FilePath AvePointCustomApp.pfx

   Note the following:

   • The .pfx file contains your private key.

   • In this command, the file will be saved to the current working directory of the PowerShell session. If you want to specify a different directory, provide the full path by referring to the cmdlet example below:

     Export-PfxCertificate -Password $(Read-Host -AsSecureString -Prompt "Enter a password to protect the certificate") -Cert $cert -FilePath "C:\Temp\AvePointCustomApp.pfx"

   Press Enter on the keyboard.

5. After completing the steps above, you will get two certificate files:

   • The .crt/.cer file must be uploaded for the custom app in Microsoft Entra ID. For additional details on uploading the certificate, refer to Create a Custom Azure App.

   • The .pfx file must be uploaded to AvePoint Online Services to consent to the app. For additional details, refer to Consent to Custom Apps (renew an app profile) or Re-authorize App Profiles for Microsoft Tenants (renew an app profile).

   *Note: If you need to apply certificate files for other services’ agents, refer to the following links:

   • EnPower –

   • Fly – and

   • Opus –

6. If you want to remove the certificate files, enter the following command and press Enter on the keyboard:

   Remove-Item "Cert:\CurrentUser\My$($cert.Thumbprint)”