Create Self-Signed Certificate¶
Management Console by default contains a self-signed certificate that can be used for SAML encryption. However, some organizations prefer to use their own self-signed certificates. In order to complete these steps, you may need to install a version of OpenSSL if you don't have one installed already.
If you want to update Management Console with a new self-signed certificate, perform the following steps:
Step 1: Generate RSA Private Key¶
To generate a RSA private key, at the command prompt, run the following command:
openssl command: openssl genrsa -out <key_output_path> <modulus_bit_length>
Example:
openssl genrsa -out samlkey.key 2048
D:\development\KEYSTOREGUIDE>openssl genrsa -out samlkey.key 2048 Generating RSA private key, 2048 bit long modulus .........+++ ......+++ unable to write 'random state' e is 65537 (0x10001) D:\development\KEYSTOREGUIDE>
Step 2: Generate Certificate request¶
Once a private key has been generated, you can create a certificate request which is needed to generate a self-signed certificate. The openssl command openssl req -new -key <key_path> -out <request_output_path>
will be used to generate the certificate request.
Example:
openssl req -new -key samlkey.key -out samlcertrequest.csr
You will be prompted to enter the attributes such as country name, province, email address, etc.
D:\development\KEYSTOREGUIDE>openssl req -new -key samlkey.key -out samlcertrequest.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:AP Locality Name (eg, city) []:HYD Organization Name (eg, company) [Internet Widgits Pty Ltd]:PRIME Organizational Unit Name (eg, section) []:SECA Common Name (e.g. server FQDN or YOUR name) []:PRIME Email Address []:abc@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:PRIME D:\development\KEYSTOREGUIDE>
Step 3: Generate Certificate¶
Once you have a private key and certificate request, you are ready to create a self-signed certificate.
openssl x509 -req -days <expiry_in_days> -in <cert_request_path> -signkey <private_key_path> -out <cert_output_path>
Example:
openssl x509 -req -days 3650 -in samlcertrequest.csr -signkey samlkey.key -out samlcert.crt
Note: The above generated certificate(samlcert.crt) should be uploaded in IDP.
D:\development\KEYSTOREGUIDE>openssl x509 -req -days 3650 -in samlcertrequest.csr -signkey samlkey.key -out samlcert.crt Signature ok subject=/C=IN/ST=AP/L=HYD/O=PRIME/OU=SECA/CN=PRIME/emailAddress=abc@example.com Getting Private key unable to write 'random state' D:\development\KEYSTOREGUIDE>