How to create a self-signed certificate for my Azure AD application.


If you'd like to register an Azure AD application directly in the Azure Portal, you will need to generate a credential associated with the application and manage it on your own to use as the authentication token.

Generate an identity certificate for Azure AD application

If you already subscribe to a Certificate Authority service, you can simply submit a new Certificate Signing Request to your CA and generate an identity certificate for your Azure AD application.

Users not subscribed to a Certificate Authority service can create and self-sign their own simple certificate using the openssl command on a local machine. For instructions on how to create a self-signed certificate, please click the corresponding tab appropriate for your operating system.

  1. OpenSSL does not have an official distribution for Windows users. Fortunately, the OpenSSL project has offered several stable links to third party products. You can download a lightweight OpenSSL for Windows installation package from one of the links in this wiki.
  2. Next, open a command prompt as Administrator and change to the <openssl installation directory>\bin directory. Run the following command to check that the installation has succeeded:

    openssl version

    NOTE: By default, the installation directory is C:\Program Files\OpenSSL-Win64 .

  3. Create a Certificate Signing Request (.csr file) and generate a private key (.key file) using the following command:

    openssl req -newkey rsa:4096 -nodes -keyout cubebackup.key -batch -out cubebackup.csr

    This command will generate a simple CSR and download a 4096-bit private key in your current directory for self-signature.

  4. Next, self-sign the certificate using the private key that was just generated:

    openssl x509 -key cubebackup.key -in cubebackup.csr -req -days 3650 -out cubebackup.crt

    You may replace validity period 3650 with any number of days you wish. Just be aware that once the period of validity has expired, you will need to replace the certificate with a new one.

  5. Now that the certificate (.crt file) and the private key (.key file) have been created in your current directory, you can move on and complete the authentication in Azure portal.

  1. MacOS and many Linux distributions come with pre-compiled OpenSSL packages. You can run the following command directly from a shell to confirm if OpenSSL has already been installed.

    openssl version

    If OpenSSL is not installed, you can download the installation package directly from the OpenSSL project and configure it, or install OpenSSL directly from HomeBrew, YUM or APT-get.

  2. Create a Certificate Signing Request (.csr file) and generate a private key (.key file) using the following command:

    openssl req -newkey rsa:4096 -nodes -keyout cubebackup.key -batch -out cubebackup.csr

    This command will generate a simple CSR and download a 4096-bit private key in your current directory for self-signature.

  3. Next, self-sign the certificate using the private key that was just generated:

    openssl x509 -key cubebackup.key -in cubebackup.csr -req -days 3650 -out cubebackup.crt

    You may replace validity period 3650 with any number of days you wish. Just be aware that once the period of validity has expired, you will need to replace the certificate with a new one.

  4. Now that the certificate (.crt file) and the private key (.key file) have been created in your current directory, you can move on and complete the authentication in Azure portal.