Public Certificate Creation using win-acme (Optional)

in order to authenticate using a certificate, both a public and a private key are required the following steps outline how to generate a keystore on the server using win acme and later use keystore explorer to manage the public and private keys this step is optional if the client already has a trusted certificate issued by a recognized certificate authority (ca) download win acme from official website ( https //www win acme com/ https //www win acme com/ ) the downloaded file should be in zip format hence, extract the contents of the file and place them in the middleware server, e g , c /wacs now open command prompt as administrator and navigate to folder location c \wacs execute wacs exe choose "m" from menu type 2 to manually entered all the domain now provide dsn name you can enter multiple seprated by , the next prompt will ask for the friendly name of the generated certificate enter suitable name type 4 to generate a single certificate type 2 for "serve verification files from memory" type 2 for rsa key type 3 to generate pfx archive next provide desired folder path where pfx file will be saved next 1 to not associate a password or 2 to protect pfx with password here i will choose 1 now select 5 for no additional store steps type 3 for no addtional installation steps now it will run generate pfx file in desired location press q to quit now, the pfx file has been generated it is time to extract the public and private keys from it to achieve this, we will use a tool called 'keystore explorer' it can be downloaded from this link ( https //keystore explorer org/downloads html https //keystore explorer org/downloads html ) once downloaded, install it with the default settings open keystore explorer drag and drop the newly generated pfx file onto the keystore explorer window, or choose to open an existing keystore enter the password if provided at the time of pfx creation; otherwise, press enter or click ok you should be able to see the certificate chain details with the dns name right click on the certificate chain, select 'export' → 'export private key' to export the private key for the password, enter the password you provided earlier, or press enter or click ok select 'pcs#8' for the private key export type and click ok next, it will provide an option to encrypt and specify the export file location for this, we will use an unencrypted private key uncheck 'encrypt ' in the 'export file' field, change the folder location and file name click 'export,' and a success message should appear now, generate the public certificate by right clicking, selecting 'export' → 'export certificate chain ' next, select 'entire chain' in the export length, 'x 509' in the export format, and change the folder location and file name in the 'export file' field click on 'export,' and a success message should appear now, go to the folder location, and there should be two files exported the pem file represents the private key, and the cer file is the public certificate the next step is to place those files under the config folder of the middleware installation and modify the init file 'sharepoint cert privatekey path' to the private key path 'sharepoint cert publickey path' to the public certificate path 'sharepoint cert privatekey encrypted' to 'yes' or 'no' if the private key is encrypted 'sharepoint cert privatekey password' to the decrypted private key password via the encryption utility for more details, please refer to the 'sharepoint m365 endpoint' section " sharepoint (sp365) authentication configuration authentication modes app based authentication enables service to service communication without user interaction sp365 sharepoint appbasedauthentication = true certificate based authentication uses certificates for enhanced security sp365 sharepoint certbasedauthentication = true oauth 2 0 parameters grant type sp365 sharepoint granttype = client credentials client assertion type sp365 sharepoint client assertion type = urn\ ietf\ params\ oauth\ client assertion type\ jwt bearer resource url sp365 sharepoint resource url = https //graph microsoft com certificate configuration private key path path to the private key file used to sign jwts sp365 sharepoint cert privatekey path = \<path to private key pem> private key encryption indicates whether the private key file is encrypted sp365 sharepoint cert privatekey encrypted = yes private key password (use encryption utility) provide only if encryption is enabled sp365 sharepoint cert privatekey password = \<secure password> public key path path to the public certificate used to validate signatures sp365 sharepoint cert publickey path = \<path to public cert cer> jwt settings type sp365 sharepoint jwt type = jwt algorithm sp365 sharepoint jwt algorithm = rs256 expiration example 1 hour = 3600000 ms sp365 sharepoint jwt expiration millisec = 3600000