On-Prem SSO Certificate Renewal

Stay ahead of SSO Certificate expiration in your SSO On-Prem installation

Customers who use SSO On-Prem (self-hosted version of SSO Connect), please read this important notice. Action is required on an annual basis, depending on the date of your SSL certificate expiration.

Overview

As outlined in the SSO Connect On-Prem documentation, the installation of the on-prem service requires the creation of an SSL certificate that is used for signing SAML requests and encrypting SAML assertions. This certificate is also used to protect the SSL communications on the service itself.

The Identity Provider (IdP) uses the certificate for verifying the SAML request, and for signing SAML assertions. During the configuration of the Keeper application in the identity provider, you have to upload the Keeper SP metadata to provide the IdP with the certificate.

SSL certificates typically expire after 1 year. Many identity providers such as AD FS will throw errors when the Service Provider (SP) certificate has expired.

Therefore, it's important that customers using SSO On-Prem follow the below best practices:

Back Up the Certificate and private key

The private key, CSR, certificate and intermediate certificates generated during the setup process should be backed up in your Keeper vault.

Plan for Certificate Renewal

Exactly one year after your certificate is issued, it will expire. Therefore we recommend putting a calendar reminder to renew the certificate. Renewing the certificate is typically automatically performed by the SSL certificate provider. The new certificate file is provided to you along with the latest intermediate certificate chain.

The expiration date of the certificate can be checked a few different ways:

From the SSO Connect On-Prem application user interface
From the certificate file using openssl
From the .pfx file using openssl

Finding the certificate expiration using openssl

openssl x509 -in automator.company.com.cer -noout -enddate

> notAfter=Sep 14 23:59:59 2022 GMT

Finding the certificate expiration from the .pfx file

The command below will extract the cert from the .pfx file and then display the expiration date.

openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
cat mycert.pem | openssl x509 -noout -enddate

> notAfter=Sep 14 23:59:59 2022 GMT

Finding the Certificate Expiration on the SSO Connect Gui

From your local on-prem SSO Connect instance, open the configuration screen at http://127.0.0.1:8080/config/
Login with your Keeper Administrator account
On the "Status" screen, see the expiration date listed

Update the Certificate

Before the SSL Certificate expires, it's important to renew the certificate from your provider. Many of the SSL certificate providers will automatically renew and issue you an updated certificate. It is not necessary to re-key it. Simply load the new renewed certificate that has the existing private and public key.

The certificate provider will give you a zip file that contains the .crt certificate and .ca-bundle intermediate certificate chain. You will have the original .key private key file from the original certificate generation in the prior year.

Hopefully you stored your private .key file in your Keeper vault. If you lost your private key, you'll need to create a whole new certificate following our Create Certificate instructions page

To update Keeper SSO Connect, the certs needs to be converted to .pfx format. From the OpenSSL Command Prompt in the same folder as the .key, .crt and .ca-bundle file, run the below command.

openssl pkcs12 -export -out keeper.mycompany.com.pfx -inkey keeper.mycompany.com.key -in keeper.mycompany.com.crt -certfile keeper.mycompany.com.ca-bundle

Enter Export Password: **********
Verifying - Enter Export Password: **********

In this example...

keeper.mycompany.com.key is the private key generated in step 1.
keeper.mycompany.com.crt is the signed certificate delivered in step 3.
keeper.mycompany.com.ca-bundle is the CA bundle containing intermediate and root public certificate chains
keeper.mycompany.com.pfx is the pkcs12 output file used by SSO Connect that has been encrypted with a password.

Make sure to save all 4 files and the generated strong password in your Keeper Vault. Note: The generated key password should not contain special characters.

You will need this password when importing the PFX file into Keeper SSO Connect Interface.

Install the Certificate

In SSO Connect On-Prem, click “⚙️Configuration”

Drag or upload the .pfx file you just generated into SSO Connect:

Click “Save” in the upper right hand corner of SSO Connect and your certificate configuration should be complete.

After a minute, the service should update and the certificate expiration date should change. Once this is complete, please check the end-user login flow to ensure that the SSO login works.

Need help?

If you can't login to the Admin Console, please open a support case and we'll assist you.

If you require assistance, please open a support ticket at the link below:

Contact Keeper Support | User Guides | Technical Support | Keeper SecurityKeeper® Password Manager & Digital Vault

Troubleshooting

Ensure that you are logging in as a Keeper Administrator with privileges to manage SSO.
Use an account that is in the root node of the enterprise tenant and logs in with a Master Password. SSO Connect On-Prem interface does not allow login with SSO. It is important that all customers using SSO Connect have a service account or administrative account that exists outside of the SSO context.
If you are still unable to login, please locate another Admin in your organization that has the ability to login with a Master Password.