SPCertificate: add an option to use certificate as farm nonce certificate for OIDC deployments

### Problem description

The instructions for configuring SPSSE to support OIDC for [Entra ID](https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad#step-2-change-sharepoint-farm-properties) and [ADFS](https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-adfs#step-2-change-sharepoint-farm-properties) both have a step to create a certificate which "is part of the infrastructure to ensure OIDC authentication tokens are secure".

This presents a gap in DSC to set up a farm that is configured to use OIDC as an authN provider. The instructions say that this is a step that should occur before creating an SPTrustedIdentityTokenIssuer, and I would like to have my DSC deployments match MSFT's recommendations.

### Verbose logs

```text
N/A
```

### DSC configuration

```powershell
# This is how I imagine a sample would look; this is not a live configuration block

configuration Sample {
  $SetupAccount = ...
  node 'SP-CA-001' {
    SPCertificate CookieNonceCert {
      CertificateFilePath       = $Node.CookieNoncePfxPath
      Store                     = 'EndEntity'
      Exportable                = $false
      UseAsFarmNonceCertificate = $true
      Ensure                    = 'Present'
      PsDscRunAsCredential      = $SetupAccount
    }
  }
}
```

### Suggested solution

The example code for the ME-ID and ADFS instructions (for 24H1 and newer, see links in problem description) both use `Import-SPCertificate`, so that is why I'm suggesting this enhancement in the form of an additional parameter for the SPCertificate resource. Something along the lines of `UseAsFarmNonceCertificate` or similar.

There are currently three procedures to implement this based on the SharePoint version:
- Older than 24H1: manually grant IIS app pool service accounts to read certificate private key; set farm property bag values
- 24H1: Set farm feature release preference to early release; `Import-SPCertificate`; `$farm.UpdateNonceCertificate`
- 24H2 and newer: `Import-SPCertificate`; `$farm.UpdateNonceCertificate`

I would not expect the first of those three options to be implemented due to all the high-level CVEs that affected on-prem SharePoint in Summer 2025.

### SharePoint version and build

```text
Subscription Edition 24H1 and newer
```

### Operating system the target node is running

```text
Any
```

### PowerShell version and build the target node is running

```text
Any
```

### SharePointDsc version

```text
5.7.0
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SPCertificate: add an option to use certificate as farm nonce certificate for OIDC deployments #1471

Problem description

Verbose logs

DSC configuration

Suggested solution

SharePoint version and build

Operating system the target node is running

PowerShell version and build the target node is running

SharePointDsc version

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SPCertificate: add an option to use certificate as farm nonce certificate for OIDC deployments #1471

Description

Problem description

Verbose logs

DSC configuration

Suggested solution

SharePoint version and build

Operating system the target node is running

PowerShell version and build the target node is running

SharePointDsc version

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions