Hello @KJ ,
Thanks for reaching out.
You could use certificate (AsymmetricX509Cert) with any type of issuers like Self-Sign , Public or Internal CA for production environment, AAD (Azure AD) support all of these certificate type for authentication as long as it matches below prerequisites:
Subject Name : could be anything, no restriction
KeySpec Signature
KeyLength: 2048
KeyAlgorithm: RSA
HashAlgorithm: SHA256 / SHA 1 (Support both)
Enhanced key uses : Client Authentication & Server Authentication
Note: when you use Internal CA issued cert, then make sure certificate path accessible for certificate chain validation
The service principal certificate need to be renewed manually and you get to see secret (certificate) expiry notification on Azure portal as shown below:
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.