| title | servicePrincipal: addTokenSigningCertificate |
|---|---|
| description | Add a signing certificate to a servicePrincipal. |
| ms.localizationpriority | medium |
| author | alamaral |
| ms.subservice | entra-applications |
| doc_type | apiPageType |
| ms.date | 04/18/2024 |
Namespace: microsoft.graph
Create a self-signed signing certificate and return a selfSignedCertificate object, which is the public part of the generated certificate.
The self-signed signing certificate is composed of the following objects, which are added to the servicePrincipal:
- The keyCredentials object with the following objects:
- A private key object with usage set to
Sign. - A public key object with usage set to
Verify.
- A private key object with usage set to
- The passwordCredentials object.
All the objects have the same value of customKeyIdentifier.
The passwordCredential is used to open the PFX file (private key). It and the associated private key object have the same value of keyId. When set during creation through the displayName property, the subject of the certificate cannot be updated. The startDateTime is set to the same time the certificate is created using the action. The endDateTime can be up to three years after the certificate is created.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
You can address the service principal using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.
POST /servicePrincipals/{id}/addTokenSigningCertificate
POST /servicePrincipals(appId='{appId}')/addTokenSigningCertificate| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, provide the following required properties.
| Property | Type | Description |
|---|---|---|
| displayName | string | Friendly name for the key. It must start with CN=. |
| endDateTime | DateTimeOffset | The date and time when the credential expires. It can be up to 3 years from the date the certificate is created. If not supplied, the default is three years from the time of creation. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
If successful, this method returns a 200 OK response code and a new selfSignedCertificate object in the response body.
The following example shows a request.
POST https://graph.microsoft.com/v1.0/servicePrincipals/004375c5-6e2e-4dec-95e3-626838cb9f80/addTokenSigningCertificate
Content-type: application/json
{
"displayName":"CN=customDisplayName",
"endDateTime":"2024-01-25T00:00:00Z"
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.selfSignedCertificate",
"customKeyIdentifier": "2iD8ppbE+D6Kmu1ZvjM2jtQh88E=",
"displayName": "CN=customDisplayName",
"endDateTime": "2024-01-25T00:00:00Z",
"key": "MIICuDCCAaCgAwIBAgIIYXJsNtL4oUMwDQYJKoZIhvcNAQEL...StP8s/w==",
"keyId": "93bc223f-7235-4b9c-beea-d66847531c49",
"startDateTime": "2021-05-05T18:38:51.8100763Z",
"thumbprint": "DA20FCA696C4F83E8A9AED59BE33368ED421F3C1",
"type": "AsymmetricX509Cert",
"usage": "Verify"
}