Follow the steps below to create a certificate for your Entra ID app registration, which is required for backing up Teams Chats data.


  • For Windows Users: Use our PowerShell script to generate a certificate and key. Download the script here. Follow the instructions below to run the script.
  • For Mac Users: We recommend using OpenSSL to generate a certificate and key. Detailed instructions are provided below.
  • If you are creating your own certificate, ensure the following configuration:
  • Certificate Format: x509
  • Hash Algorithm: SHA-256
  • Encryption Algorithm: RSA 2048


Windows Users

Before you get started, download the latest version of the script from the Keepit Support Site: PowerShell Script for Entra ID App Registration. 

Save the script locally (e.g., C:\Users\YourUserName\Documents\Multiapp).
Important: Ensure the script is saved locally and not to a cloud service like OneDrive, as this may cause issues.  
After downloading the script, rename the file extension to .ps1to make it a PowerShell script.

Follow these steps to generate a certificate with PowerShell:

  1. Right-click the PowerShell icon and select Run as Administrator.
  2. Run the following command to allow PowerShell scripts to execute on your PC:
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

    Note: If you close PowerShell, you will need to run this command again to enable script execution.
  3. Run the following command (ensure it matches the location where your script is saved):
    cd C:\Users\(Your user name)\Documents\Multiapp

  4. Run the command:
    ./generate-self-signed-cert.ps1
  5. In the PubKeyFileName field, enter a name (e.g., Public) and press Enter.
  6. In the PrivKeyFileName field, enter a name (e.g., Private) and press Enter.
  7. Enter a name for the certificate file, followed by the appropriate extension. It can be .cer, .crt, or .pem.
  8. Enter the following information when prompted:
    Country Name (2 letter code) [AU]:
    State or province name (full name) [Some-State]:
    Locality Name (eg, city):
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organization Unit Name (eg, section) [Engineering]:
    Common Name (e.g. server FQDN or YOUR name) [foo.org]:
    Email address [foo@bar.baz]:
    Note: Ensure the email address entered is linked to your tenant, such as a service account.
  9. Press Enter after providing the information.
    The certificate will be generated and saved in the directory where the script is located.


Mac Users

If you are using a Mac, follow these steps using OpenSSL to generate a certificate:

  1. Generate a self-signed certificate (x509 with rsa 2048 valid for the 2 years) by running the following command:
    openssl req -x509 -sha256 -days 730 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
    This will generate two files: privateKey.key and certificate.crt
  2. Upload the certificate.crt in the Certificates & secrets section for the target Application Registration in the Entra ID admin center.
  3. Remove the passphrase from certificate key by running the following command:
    openssl rsa -in privateKey.key -out privateKeyWoPass.key
  4. Use certificate.crt and privateKeyWoPass.key to configure your custom Teams app in Keepit.