Certificate used while creating a Provider Hosted Application in SharePoint 2013

Sathish Nadarajan
SharePoint MVP
Published On :   25 Mar 2014
Visit Count
Today :  7    Total :   20617

In the article, we saw the step by step approach to create a provider hosted application. But on that, while creating an app from visual studio, we are giving a certificate and an Issuer ID. I thought of explaining it to the community for a long time. But we forgot and moved to other areas. Now, it’s time to look in to that.

I request the readers to have a look on the above mentioned article to make sure that we are on the same track.

A quick walk through is, on the step number 5, we need to provide a pfx file and an issuer ID.


This issuer ID will be added automatically on the web.config of our provider hosted application. The steps to create and make use of this are as follows.

1. Create a Self Signed Certificate from InetMgr. Please refer here.

2. Export the certificate and create the PFX with a password.

3. Now, we need to create the Issuer ID.

To create Issuer ID, go to the Appregnew.aspx page. The full URL will be something like, https://MyServer/sites/MySiteCollection/_layouts/15/Appregnew.aspx.


Once, we give the IssuerID, the web.config of the app will looks like

 <add key="ClientSigningCertificatePath" value="C:\MyCertificate.pfx"/>
 <add key="ClientSigningCertificatePassword" value="****"/>
 <add key="IssuerId" value="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"/>

4. Register the Issuer ID to create a new Trusted Identity Token Issuer using the PowerShell script.

5. The following script will do that.

 //Registering a Issuer ID 1dfc02bc-ff74-4604-b295-b58860cba1f9
 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 $issuerID = " xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx "
 $targetSiteUrl = "https://MyWebApplication:3000/sites/DeveloperSite/"
 $targetSite = Get-SPSite $targetSiteUrl
 $realm = Get-SPAuthenticationRealm -ServiceContext $targetSite
 $registeredIssuerName = $issuerID + '@' + $realm
 $publicCertificatePath = "C:\Certs\MyCert.cer"
 $publicCertificate = Get-PfxCertificate $publicCertificatePath
 Write-Host "Create Security token issuer"
 $secureTokenIssuer = New-SPTrustedSecurityTokenIssuer -Name $issuerID -RegisteredIssuerName $registeredIssuerName -Certificate $publicCertificate -IsTrustBroker
 $secureTokenIssuer | select *
 $secureTokenIssuer  | select * | Out-File -FilePath "SecureTokenIssuer.txt"
 #Turn off the HTTPS requirement for OAuth during development
 $serviceConfig = Get-SPSecurityTokenServiceConfig
 $serviceConfig.AllowOAuthOverHttp = $true
 Write-Host "All done..."

Happy Coding.

Sathish Nadarajan.