Certificate-Based Authentication

Certificate-based authentication allows SpaceObServer to identify itself to the authentication service using a digital certificate instead of user credentials.

Before starting, ensure you have:

  • Administrative access to your Entra ID app registration

  • Permission to create certificates on your system

Step-by-Step Setup Guide

Step 1: Create a Self-Signed Certificate

For creating a certificate file the command New-PnPAzureCertificate for PowerShell is used. Visit the documentation for reference: https://pnp.github.io/powershell/cmdlets/New-PnPAzureCertificate.html

Note

In order to use this command you need to import the PnP.PowerShell module using the command: Import-Module PnP.PowerShell

Generate the certificate files:

  • Create both a .cer file (public certificate) and a .pfx file (private key with certificate)

  • Use a descriptive name for your certificate (e.g., “Auth-Cert”)

Note

We recommend using “Example 3” in the documentation as reference for creating a certificate with password.

Verify certificate creation:

  • Confirm both .cer and .pfx files are created

  • Note the certificate thumbprint for future reference

  • Store the .pfx file securely with its password

Step 2: Configure Entra ID Registration

Upload the certificate:

  1. Navigate to your Entra ID app registration

  2. Go to “Certificates & secrets” section

  3. Click “Upload certificate”

  4. Select and upload the .cer file created in Step 1

Step 3: Configure API Permissions

Add SharePoint permissions:

  1. Go to “API permissions” in your app registration

  2. Click “Add a permission”

  3. Select “SharePoint” from the Microsoft APIs

  4. Choose “Application permissions”

  5. Add “Sites.Selected” permission

Note

Make sure that steps c and d are correctly configured for the granted permission or it might later lead to an incorrect authentication.

The Sites.Selected permission allows your application to access only specific SharePoint site collections that have been explicitly configured, providing granular security control.

Grant admin consent:

  1. Click “Grant admin consent” for your organization

  2. Confirm the permission is granted (status shows green checkmark)

Step 4: Configure SharePoint Site Collections

Site collection configuration:

  • Contact your SharePoint administrator to configure the specific site collections that SpaceObServer should access

  • Provide them with your app registration’s Application (client) ID

  • Alternatively visit this FAQ page on how to configure this: https://knowledgebase.jam-software.com/7686

Step 5: Configure SpaceObServer

Certificate configuration:

  • When prompted, configure SpaceObServer to use the .pfx file for authentication when creating a scan

  • Provide the path to the certificate file and the certificate password