Creating Self-Signed (domain) Certificate for Provider-Hosted App

This is the certificate that will be used on the IIS site to make it SSL enabled site.  It’s different from the one to create the STS Security token (High Trust Provider-Hosted App Solution).  If the certificate is not created with proper domain associated, you’ll have issues with calling the App Event Receivers.  To create the certificate and set it up on IIS, following the instruction below:

  1. Open Visual Studio Developer Command Prompt and type the following command

(1) Create new certificate

makecert -r -pe -n "" -b 01/01/2013 -e 01/11/2015 -eku -ss my -sr localMachine -sky exchange -sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider" "D:\SSLCerts\SPAppCertDev.cer"

(2) Add new certificate

certmgr /add "D:\SSLCerts\SPAppCertDev.cer" /s /r localMachine root

*** You need to replace the domain ( with your domain and the file path for the new certificate.

  1. Open MMC.exe and add Certificates snap-in
    •  Copy the new certificate from “Personal/Certificates” folder to “Trusted Root Certification Authorities/Certificates” folder.
  2. Open IIS Manager
    • Verify your domain certificate is added
    • Bind it to your IIS site
  3. Create Trust Root Authority on SharePoint Central Admin
    1. Open SharePoint Central Admin
    2. Click Security -> Manage Trust
    3. Click New
    4. Enter the information and browse to the newly create certificate on the page and save it.TrustRelationship

You can also run PowerShell Script to add a new trust relationship:

#Get the certificate from the hard drive
$publicCertificate = Get-PfxCertificate "SPAppCertDev.cer"
New-SPTrustedRootAuthority -Name "$($publicCertificate.Subject)_$($publicCertificate.Thumbprint)" -Certificate $publicCertificate

Creating Certificate on a Remote Server

If the server you’re on doesn’t have VS Studio installed, you can create the .cert and .pfx files on a different server and import them manually.

The script below will create the .cer and .pvk files.

makecert -r -pe -n "CN=devapps.*" -b 01/01/2013 -e 01/11/2027 -sky exchange -sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider" -sv "D:\SSLCerts\SPSiteTestDev.pvk" "D:\SSLCerts\SPSiteTestDev.cer"

The script below will create the .pfx file from the .cer and .pvk file. The .pfx is needed to import to IIS site.

pvk2pfx -pvk "D:\SSLCerts\SPSiteTestDev.pvk" -spc "D:\SSLCerts\SPSiteTestDev.cer" -pfx "D:\SSLCerts\SPSiteTestDev.pfx" -pi Password

2 thoughts on “Creating Self-Signed (domain) Certificate for Provider-Hosted App

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s