SSL Certificate Creation

This document provides step by step instructions on generating an SSL certificate for use in Keeper SSO Connect On-Prem. For existing environments, this action must be performed before your SSL certificate expires.

If you are using Linux, there is no need to install a binary version of OpenSSL. The instructions below here focus on Windows environments.

Windows

(1) Download and install OpenSSL version 1.1.1.

Version 3.0 of OpenSSL appears to have compatibility issues with Java 11, so we are recommending to use version 1.1.1 for now. For convenience, a 3rd party (slproweb.com) has created a binary installer. A popular binary installer is linked below:

https://slproweb.com/download/Win32OpenSSL_Light-3_1_4.exe

During install, the default options can be selected. In the install process, you may be asked to also install a Microsoft Visual Studio extension. Go ahead and follow the instructions to install this extension before completing the OpenSSL setup.

(2) Run the OpenSSL Command Prompt

In your Start Menu there will be an OpenSSL folder. Click on the OpenSSL Command Prompt.

(3) Create a Private Key

On the OpenSSL Command Prompt, run the below command to create a private key.

C:\Users\craig> openssl genrsa -out keeper.mycompany.com.key

(4) Generate a CSR

Create a CSR, making sure to use the hostname which you plan to use for SSO Connect. In this case, we will be using keeper.mycompany.com. The important item here is that the Common Name matches exactly to the domain.

Example:

C:\Users\craig> openssl req -new -key keeper.mycompany.com.key -out keeper.mycompany.com.csr

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Illinois
Locality Name (eg, city) [Default City]:Chicago
Organization Name (eg, company) [Default Company Ltd]:Lurey, LLC
Organizational Unit Name (eg, section) []:Engineering
Common Name []:keeper.mycompany.com
Email Address []:webmaster@lurey.com

(5) Purchase an SSL certificate

Submit the CSR to your SSL certificate provider. If you don't have one, we recommend using a basic HTTPS cert from https://ssls.com.

Follow your vendor’s instructions for completing the certificate request. You will then need to wait for your certificate to be issued by your SSL Certificate provider. This can take anywhere between 5 minutes and 24 hours -- check with your vendor regarding their turnaround time.

The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert (.ca-bundle). Unzip this file into the same location as the private key.

(6) Create .pfx File

After the certificate has been issued, it needs to be converted to .pfx format. From the OpenSSL Command Prompt in the same folder as the .key, .crt and .ca-bundle file, run the below command.

openssl pkcs12 -export -out keeper.mycompany.com.pfx -inkey keeper.mycompany.com.key -in keeper.mycompany.com.crt -certfile keeper.mycompany.com.ca-bundle

Enter Export Password: **********
Verifying - Enter Export Password: **********

In this example...

• keeper.mycompany.com.key is the private key generated in step 1.

• keeper.mycompany.com.crt is the signed certificate delivered in step 3.

• keeper.mycompany.com.ca-bundle is the CA bundle containing intermediate and root public certificate chains

• keeper.mycompany.com.pfx is the pkcs12 output file used by SSO Connect that has been encrypted with a password.

Make sure to save all 4 files and the generated strong password in your Keeper Vault. Note: The generated key password should not contain special characters.

You will need this password when importing the PFX file into Keeper SSO Connect Interface. (7) Install the Certificate

Back in SSO Connect On-Prem, click “⚙️Configuration”:

(8) Drag or upload the .pfx file you just generated into SSO Connect:

(9) Click “Save” in the upper right hand corner of SSO Connect and your certificate configuration should be complete.

Once this is complete, please check the end-user login flow to ensure that the SSO login works.