Associate a certificate with the Entra app ID for BEMS
Entra
app ID for BEMS
You can request and export a new client certificate from your CA server or use a self-signed certificate. The private key must be in .pfx format to upload to the
BEMS
dashboard. The public key can be exported as a .cer or .pem file to upload to Microsoft Entra ID
. For more information, see Enable modern authentication for the Mail service in BEMS. - Complete one of the following tasks:CertificateTaskIf you are using an existing CA server
- Request the certificate. The certificate that you request must include the app name in the subject of the certificate. The <app name> is the name you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication.
- Export the public key of the certificate as a .cer or .pem file. The public key is used for theEntraapp ID that is created.
- Export the private key of the certificate as a .pfx file. The private key is imported to theBEMSdashboard.
If you are using a self-signed certificate- Create a self-signed certificate using the New-SelfSignedCertificate command. For more information, visit theMicrosoftresource New-SelfSignedCertificate.
- On the computer runningMicrosoft Windows, open theWindows PowerShell.
- Run the following command:$cert=New-SelfSignedCertificate -Subject "CN=<.app name>" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec SignatureWhere <app name> is the name that you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication. The certificate that you request must include theEntraapp name in the subject field.
- Export the public key from theMicrosoftManagement Console (MMC). Save the public certificate as a .cer or .pem file. The public key is used for theEntraapp ID that is created.
- On the computer runningWindows, open the Certificate Manager for the logged in user.
- ExpandPersonal.
- ClickCertificates.
- Right-click the <user>@<domain> and clickAll Tasks > Export.
- In theCertificate Export Wizard, clickNo, do not export private key.
- ClickNext.
- SelectBase-64 encoded X.509 (.cer). ClickNext.
- Provide a name for the certificate and save it to your desktop.
- ClickNext.
- ClickFinish.
- ClickOK.
- Export the private key from theMicrosoftManagement Console (MMC). Make sure to include the private key and save it as a .pfx file. For instructions, see theMicrosoftresource Export a Certificate with the Private Key. The private key is imported to theBEMSdashboard.
- On the computer runningWindows, open the Certificate Manager for the logged in user.
- ExpandPersonal.
- ClickCertificates.
- Right-click the <user>@<domain> and clickAll Tasks > Export.
- In theCertificate Export Wizard, clickYes, export private key..
- ClickNext.
- SelectPersonal Information Exchange – PKCS #12 (.pfx). ClickNext.
- Select the security method.
- Provide a name for the certificate and save it to your desktop.
- ClickNext.
- ClickFinish.
- ClickOK.
- Upload the public certificate (.pem or .cer file) that you exported in step 1 to associate the certificate credentials with theEntraapp ID forBEMS.
- In entra.microsoft.com, open the <app name> you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication.
- ClickCertificates & secrets.
- In theCertificatessection, clickUpload certificate.
- In theSelect a filesearch field, navigate to the location where you exported the certificate in step 2.
- ClickAdd.