Creating SSL Certificates
Creating SSL Certificates on Windows for Keeper SSO Connect On-Prem
This document provides step by step instructions on generating an SSL certificate for use in Keeper SSO Connect On-Prem. For existing environments, this action must be performed before your SSL certificate expires.
These instructions only apply to SSO Connect On-Prem installations.
If you are using Linux, there is no need to install a binary version of OpenSSL. The instructions below here focus on Windows environments.


(1) Download and install OpenSSL version 1.1.1.
Version 3.0 of OpenSSL appears to have compatibility issues with Java 11, so we are recommending to use version 1.1.1 for now. For convenience, a 3rd party ( has created a binary installer. A popular binary installer is linked below:
During install, the default options can be selected. In the install process, you may be asked to also install a Microsoft Visual Studio extension. Go ahead and follow the instructions to install this extension before completing the OpenSSL setup.
(2) Run the OpenSSL Command Prompt
In your Start Menu there will be an OpenSSL folder. Click on the OpenSSL Command Prompt.
(3) Create a Private Key
On the OpenSSL Command Prompt, run the below command to create a private key.
C:\Users\craig> openssl genrsa -out
(4) Generate a CSR
Create a CSR, making sure to use the hostname which you plan to use for SSO Connect. In this case, we will be using The important item here is that the Common Name matches exactly to the domain.
C:\Users\craig> openssl req -new -key -out
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Illinois
Locality Name (eg, city) [Default City]:Chicago
Organization Name (eg, company) [Default Company Ltd]:Lurey, LLC
Organizational Unit Name (eg, section) []:Engineering
Common Name []
Email Address []:[email protected]
(5) Purchase an SSL certificate
Submit the CSR to your SSL certificate provider. If you don't have one, we recommend using a basic HTTPS cert from
Follow your vendor’s instructions for completing the certificate request. You will then need to wait for your certificate to be issued by your SSL Certificate provider. This can take anywhere between 5 minutes and 24 hours -- check with your vendor regarding their turnaround time.
The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert (.ca-bundle). Unzip this file into the same location as the private key.
(6) Create .pfx File
After the certificate has been issued, it needs to be converted to .pfx format. From the OpenSSL Command Prompt in the same folder as the .key, .crt and .ca-bundle file, run the below command.
openssl pkcs12 -export -out -inkey -in -certfile
Enter Export Password: **********
Verifying - Enter Export Password: **********
In this example...
  • is the private key generated in step 1.
  • is the signed certificate delivered in step 3.
  • is the CA bundle containing intermediate and root public certificate chains
  • is the pkcs12 output file used by SSO Connect that has been encrypted with a password.
Make sure to save all 4 files and the generated strong password in your Keeper Vault. Note: The generated key password should not contain special characters.
You will need this password when importing the PFX file into Keeper SSO Connect Interface. (7) Install the Certificate
Back in SSO Connect On-Prem, click “⚙️Configuration”:
(8) Drag or upload the .pfx file you just generated into SSO Connect:
(9) Click “Save” in the upper right hand corner of SSO Connect and your certificate configuration should be complete.
Once this is complete, please check the end-user login flow to ensure that the SSO login works.
Export as PDF
Copy link