Skip to main content

Create Client Certificates

AAs an application owner, you can upload or generate client certificates in Resource Admin to enable secure authentication or single sign-on for Microsoft Entra applications. EmpowerID handles the upload to Microsoft Entra ID on your behalf.

Depending on your use case, you can create:

  • An Authentication Certificate for app-to-service authentication
  • A SAML Single-Sign On Certificate for use in SAML assertion tokens
warning

You must provide a certificate only if you are creating an Authentication Certificate. This requires the public key in base64 format. If you select SAML Single-Sign On Certificate, EmpowerID generates the certificate internally — no upload is needed.

What You’ll Need

RequirementDescription
Access to Resource AdminYou must have permission to manage applications in the Resource Admin portal.
Application OwnershipYou must be the owner or delegated administrator of the Azure application.
Base64 Certificate StringRequired only for Authentication Certificates. You must provide the base64-encoded public key.
Creating an Authentication Certificate? Click here to learn how to generate a self-signed certificate

Generate a Self-Signed Certificate in EmpowerID

1. Access the Certificate Creation Page

  1. In the EmpowerID Web interface, go to Apps and Authentication > SSO Connections.
  2. Click SSO Components.
  3. Select the Certificates tab and then click Add in the grid header.
    Add Certificate

2. Generate the Certificate

  1. Select Generate Self-Signed Certificate.
    Generate Certificate

  2. Fill in the following fields:

    FieldValue/Action
    Certificate OwnerLeave empty
    Prefer Local Machine StoreLeave empty
    Subject NameUse a value like CN=AzureCertificate
    Requires Password✅ Select to include a private key
    Certificate PasswordEnter a strong password
    tip

    When should you select “Requires Password”?
    Select this option when you need to export the certificate with its private key (e.g., to use as an Authentication Certificate in EmpowerID or other external systems). If you only need the public key, you can leave it unselected.

  3. Click Save to generate the certificate.
    Save Certificate

3. Export the Certificate in Base64 Format

  1. Click the Find Certificates breadcrumb to return to the SSO Components page.
  2. Search for the certificate in the Certificates tab.
    Search Certificate
  3. Click the Name of the certificate to view it.
  4. Click Export Certificate.
    Export Certificate
  5. Choose a location to save the certificate file and click Save.

Steps to Create a Client Certificate

1: Open the Create Microsoft Entra Application Client Certificate Wizard

  1. Log in to the Resource Admin portal.
  2. In the Resource Type menu, select Applications and search for your Azure application.
  3. Click the Details button for the application.
    Application Details Button
    This opens the Overview page.
    Application Overview
  4. In the left application menu, click Client Certificates.
  5. Click Add Client Certificate.
    Add Client Certificate The Client Certificate Details form opens.
    Client Certificate Form

2: Fill Out the Client Certificate Form

A. Select the Certificate Type

Choose how the certificate will be used in your application:

  • Create Authentication Certificate – For client app authentication (e.g., Microsoft Graph API)
  • Create SAML Single-Sign On Certificate – For Microsoft Entra ID to sign SAML tokens for SSO
note

The fields displayed in the form change based on your selection.

B. Enter Certificate Details

If you selected “Create Authentication Certificate”:

Authentication Certificate Form

  1. Certificate Name – Enter a unique name to identify the certificate.
  2. Certificate Description – Briefly describe the purpose of this certificate (e.g., "App-to-Graph API connection").
  3. Certificate Base64 Encoded String – Paste the base64-encoded public key you generated or received.

If you selected “SAML Single-Sign On Certificate”:

SAML Certificate Form

  1. Certificate Display Name – Enter a meaningful subject name (e.g., CN=SAMLTokenCert).
  2. Certificate Expiration – Select a date when the certificate should expire.
note

EmpowerID automatically generates the SAML certificate internally. No upload is needed.

C. Configure Vaulting and Access Settings

Vaulting Details Form

These options determine whether the certificate is stored securely in EmpowerID and who can find or request it through the IAM Shop.

  1. Select Location
    Choose where the certificate will reside within EmpowerID’s RBAC hierarchy.

    • If a location is preselected, click the × to remove it.
    • Click Select a Location, then browse or search to choose the appropriate organizational unit.
    • This setting controls visibility, access governance, and reporting within EmpowerID.

  2. Vault this certificate
    Check this box to store the certificate securely in EmpowerID’s credential vault. Required for sharing and access control.

  3. Enable sharing for this certificate
    Optional. Allows other users to find and request access through the IAM Shop interface.

tip

If you do not vault the certificate, sharing and IAM Shop governance features will not be available.

3: Review and Submit

  1. Click Next to open the Summary screen.
  2. Review all the entered information. If you need to make changes, click Back.
  3. When ready, click Submit.
  4. Review thte fulfillment status and then Click Submit

What Happens Next

  • EmpowerID registers the certificate with the Azure application.
  • If vaulting is enabled, the certificate is secured in the credential vault.
  • IAM Shop sharing and access rules are applied based on your selections.
  • The certificate appears in the Client Certificates tab of the application record.
note

All certificate actions are logged in EmpowerID’s audit trail for compliance and security tracking.