Skip Navigation

Associate a certificate with the
Entra
app ID for
BEMS

You can request and export a new client certificate from your CA server or use a self-signed certificate. The private key must be in .pfx format to upload to the
BEMS
dashboard. The public key can be exported as a .cer or .pem file to upload to
Microsoft Entra ID
. For more information, see Enable modern authentication for the Mail service in BEMS
  1. Complete one of the following tasks:
    Certificate
    Task
    If you are using an existing CA server
    1. Request the certificate. The certificate that you request must include the app name in the subject of the certificate. Where <
      app name
      > is the name you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication.
    2. Export the public key of the certificate as a .cer or .pem file. The public key is used for the
      Entra
      app ID that is created.
    3. Export the private key of the certificate as a .pfx file. The private key is imported to the
      BEMS
      dashboard.
    If you are using a self-signed certificate
    1. Create a self-signed certificate using the New-SelfSignedCertificate command. For more information, visit docs.microsoft.com and read New-SelfSignedCertificate.
      1. On the computer running
        Microsoft Windows
        , open the
        Windows PowerShell
        .
      2. Enter the following command:
        $cert=New-SelfSignedCertificate -Subject "CN=<
        app name
        >" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
        . Where <
        app name
        > is the name you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication. The certificate that you request must include the
        Entra
        app name in the subject field.
      3. Press
        Enter
        .
    2. Export the public key from the
      Microsoft
      Management Console (MMC). Make sure to save the public certificate as a .cer or .pem file. The public key is used for the
      Entra
      app ID that is created.
      1. On the computer running
        Windows
        , open the Certificate Manager for the logged in user.
      2. Expand
        Personal
        .
      3. Click 
        Certificates
        .
      4. Right-click the <
        user
        >@<
        domain
        > and click
        All Tasks > Export
        .
      5. In the
        Certificate Export Wizard
        , click
        No, do not export private key
        .
      6. Click
        Next
        .
      7. Select
        Base-64 encoded X.509 (.cer)
        . Click
        Next
        .
      8. Provide a name for the certificate and save it to your desktop.
      9. Click
        Next
        .
      10. Click
        Finish
        .
      11. Click
        OK
        .
    3. Export the private key from the
      Microsoft
      Management Console (MMC). Make sure to include the private key and save it as a .pfx file. For instructions, visit docs.microsoft.com and read Export a Certificate with the Private Key. The private key is imported to the
      BEMS
      dashboard.
      1. On the computer running
        Windows
        , open the Certificate Manager for the logged in user.
      2. Expand
        Personal
        .
      3. Click 
        Certificates
        .
      4. Right-click the <
        user
        >@<
        domain
        > and click
        All Tasks > Export
        .
      5. In the
        Certificate Export Wizard
        , click
        Yes, export private key.
        .
      6. Click
        Next
        .
      7. Select
        Personal Information Exchange – PKCS #12 (.pfx)
        . Click
        Next
        .
      8. Select the security method. 
      9. Provide a name for the certificate and save it to your desktop.
      10. Click
        Next
        .
      11. Click
        Finish
        .
      12. Click
        OK
        .
  2. Upload the public certificate (.pem or .cer file) that you exported in step 1 to associate the certificate credentials with the
    Entra
    app ID for
    BEMS
    .
    1. In portal.azure.com, open the <
      app name
      > you assigned the app in step 5 of Obtain an Entra app ID for BEMS with certificate-based authentication.
    2. Click
      Certificates & secrets
      .
    3. In the
      Certificates
      section, click
      Upload certificate
      .
    4. In the
      Select a file
      search field, navigate to the location where you exported the certificate in step 2.
    5. Click
      Add
      .