Associate a certificate with the Entra app ID for BEMS
Entra
app ID for BEMS
You can request and export a new client certificate from your CA server or use a self-signed certificate. The private key must be in .pfx format to upload to the
BEMS
dashboard. The public key can be exported as a .cer or .pem file to upload to Microsoft Entra ID
. For more information, see 'Enable modern authentication for the Mail service in BEMS' in the Microsoft Exchange
Online
and hybrid Microsoft Exchange
Online
environments Modern Authentication for BlackBerry
Dynamics
apps content.- Complete one of the following tasks:CertificateTaskIf you are using an existing CA server
- Request the certificate. The certificate that you request must include the app name in the subject of the certificate. The <appname> is the name you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication.
- Export the public key of the certificate as a .cer or .pem file. The public key is used for theEntraapp ID that is created.
- Export the private key of the certificate as a .pfx file. The private key is imported to theBEMSdashboard.
If you are using a self-signed certificate- Create a self-signed certificate using the New-SelfSignedCertificate command. For more information, visit theMicrosoftresource New-SelfSignedCertificate.
- On the computer runningMicrosoft Windows, open theWindows PowerShell.
- Run the following command:$cert=New-SelfSignedCertificate -Subject "CN=<.appname>" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec SignatureWhere <appname> is the name that you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication. The certificate that you request must include theEntraappname in the subject field.
- Export the public key from theMicrosoftManagement Console (MMC). Save the public certificate as a .cer or .pem file. The public key is used for theEntraapp ID that is created.
- On the computer runningWindows, open the Certificate Manager for the logged in user.
- ExpandPersonal.
- ClickCertificates.
- Right-click the <user>@<domain> and clickAll Tasks > Export.
- In theCertificate Export Wizard, clickNo, do not export private key.
- ClickNext.
- SelectBase-64 encoded X.509 (.cer). ClickNext.
- Provide a name for the certificate and save it to your desktop.
- ClickNext.
- ClickFinish.
- ClickOK.
- Export the private key from theMicrosoftManagement Console (MMC). Make sure to include the private key and save it as a .pfx file. For instructions, see theMicrosoftresource Export a Certificate with the Private Key. The private key is imported to theBEMSdashboard.
- On the computer runningWindows, open the Certificate Manager for the logged in user.
- ExpandPersonal.
- ClickCertificates.
- Right-click the <user>@<domain> and clickAll Tasks > Export.
- In theCertificate Export Wizard, clickYes, export private key..
- ClickNext.
- SelectPersonal Information Exchange – PKCS #12 (.pfx). ClickNext.
- Select the security method.
- Provide a name for the certificate and save it to your desktop.
- ClickNext.
- ClickFinish.
- ClickOK.
- Upload the public certificate (.pem or .cer file) that you exported in step 1 to associate the certificate credentials with theEntraapp ID forBEMS.
- In entra.microsoft.com, open the <app name> you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication.
- ClickCertificates & secrets.
- In theCertificatessection, clickUpload certificate.
- In theSelect a filesearch field, navigate to the location where you exported the certificate in step 1.
- ClickAdd.