API certificate authentication for Azure AD B2C

There’s a good article here.

First off, you need a self-signed certificate for testing. I wrote this up. I generally use the Pluralsight utility to generate a .pfx file. Remember the password you have to enter.

Then upload the certificate, change the technical profile and upload the new policy as per the above article.

I was testing to a 3rd party API so I didn’t actually create my own web API.

The problem is that it didn’t work and the B2C errors were sparse.

Enter Postman.

Note that this only works on the Postman application not the Chrome app. version that is due to be deprecated.

As you can see from the article, you need a CRT file and a KEY file not a .pfx file.

To generate these, use OpenSSL. You can get a Windows version from Shining Light.

The commands are:

openssl pkcs12 -in c:\…\B2C.pfx -nocerts -out c:\…\b2c.key
Enter Import Password:
Enter PEM pass phrase:
Verifying — Enter PEM pass phrase:

Here you have to enter the pfx password and then choose a passphrase and verify it. The output is b2c.key.

openssl pkcs12 -in c:\…\B2C.pfx -clcerts -nokeys -out c:\….\b2c.crt
Enter Import Password:

Here you have to enter the pfx password. The output is b2c.crt.

You now have everything you need:

The host URL is the address of the API e.g.


When a call is made to this API, Postman will add the certificate.

Note that this connection must be via https.

To confirm this, use the console (Ctl-Alt-C).


Client Certificate:

keyPath: “C:\…\b2c.key”

pemPath: “C:\…\b2c.crt”

You now have a way to test the back-end API with certificate authentication (using the same certificate) outside of B2C.

In my experience, if this works, so will B2C.

All good!