Loading...

Creating Certificates for SAML Integration

In Service Provider (SP) initiated SAML, a SAML request is prepare by the SP. The SP digitally signs the request using a private key. When the request is received by the Identity Provider (IdP), the digital signature is verified using the public key sent by the SP in a certificate. Certificates are self-signed or signed by a certification authority (CA).

A Java keystore file stores the certificate and the private key. To create the Java keystore file, use the keytool utility, the Java key and certificate management tool. For more information on the keytool utility, go to the Oracle Documentation website, keytool - Key and Certificate Management Tool.

Procedure

Creating a Self-Signed Certificate and a Private Key

Use the keytool utility to create a keystore file that contains a private key and a self-signed certificate that holds a public key.

  1. Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.
  2. The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

    keytool -genkey -keyalg RSA -alias <aliasName> -keystore <file_path\keystoreFilename.jks> -validity <daysValid> -keysize 2048

  3. The following table displays the parameters for the keytool command:

    Parameter

    Description of Parameter Values

    alias

    The alias name for the certificate.

    keystore

    The file path and file name for the .jks file created by the keytool.

    validity

    The number of days the keystore file is valid starting from the day the keystore file is created.

    Example

    keytool -genkey -keyalg RSA -alias selfsigned -keystore "C:\mykeystore.jks" -validity 365 -keysize 2048

  4. When prompted, enter the information requested by the keytool command.
  5. Make note of the following values:
    • name and location of the keystore file
    • alias name
    • keystore password
    • key password

    Use these values to create the SP metadata XML file. For information, see Adding Identity Servers.

Creating a CA-signed Certificate and a Private Key

Use the keytool utility to create a keystore file that contains a private key and a CA-signed certificate that holds a public key.

  1. Create a keystore file containing a local certificate:
    1. Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.

      The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

      keytool -genkey -keyalg RSA -alias <aliasName> -keystore <file_path\keystoreFilename.jks>

      The following table displays the parameters for the keytool command:

      Parameter

      Description of Parameter Values

      alias

      The alias name for the certificate. The alias name is used to import the CA-signed certificate.

      keystore

      The file path and file name for the .jks file created by the keytool.

      Example

      keytool -genkey -keyalg RSA -alias casigned -keystore "C:\mykeystore.jks"

    2. When prompted, enter the information requested by the keytool command.

      For CA-signed certificates, the company and location information must be accurate, for example, when prompted for the Organization Name, enter the full legal name of your organization.

    3. Make note of the following values:
      • name and location of the keystore file
      • alias name
      • the keystore password
      • the key password

    After the CA-signed certificate is imported into the keystore file, use these values to create the SP metadata XML file. For information, see Adding Identity Servers.

  2. Generate a Certificate Signing Request (CSR) and submit it to the CA.
    1. Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.

      The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

      keytool -certreq -keyalg RSA -alias <aliasName> -file <request_file_name.csr> -keystore <file_path\keystoreFilename.jks>

      The following table displays the parameters for the keytool command:

      Parameter

      Description of Parameter Values

      alias

      The alias name for the certificate. The alias name is used to import the CA-signed certificate.

      file

      The file name of the .csr file.

      keystore

      The file path and file name for the .jks file created by the keytool.

      Example

      keytool -certreq -keyalg RSA -alias casigned -file certreq.csr -keystore "C:\mykeystore.jks"

    2. Submit the .csr file to your CA according to their procedure.
  3. Import the CA-signed certificate into the keystore file according to the procedure provided by the CA.

    Run the following command from the C:\Program Files\Java\java_version\bin folder after substituting the parameter values.

    The command can be run from %JAVA_HOME%\bin if the %JAVA_HOME% environment variable is set.

    keytool -importcert -file <CertificateFileName> -keystore <keystoreFileName> -alias <AliasName>

    The following table displays the parameters for the keytool command:

    Parameter

    Description of Parameter Values

    file

    The file name of the .csr file.

    keystore

    The file path and file name for the .jks file created by the keytool.

    alias

    The alias name for the certificate.

    Example

    keytool -importcert -file certificate.cer -keystore "C:\mykeystore.jks" -alias casigned

Last modified: 10/11/2019 6:09:25 PM