Appendix - Creating Certificates

Last updated 2 months ago

Creating a Self-Signed Certificate - Windows

  1. Download a copy of an OpenSSL Binary from this site: https://slproweb.com/products/Win32OpenSSL.html

  2. Run as admin and take the default settings

  3. Open command prompt

  4. mkdir c:\<hostname>

  5. cd \<hostname>

  6. set RANDFILE=c:\<hostname>\.rnd

  7. set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

  8. c:\OpenSSL-Win32\bin\openssl.exe

  9. genrsa -out <hostname>.key 2048

  10. req -new -x509 -days 3652 -key <hostname>.key -out <hostname>.pem

  11. Enter in the following data. Be sure the common name matches the Hostname or IP. Just hit “enter” for Email.

  • Country Name (2 letter code) []: US

  • State or Province Name (full name) []: California

  • Locality Name (e.g., city) []: Stanford

  • Organization Name (e.g., company) []: Stanford University

  • Organizational Unit Name (e.g., section) []: University IT

  • Common Name (e.g., web.stanford.edu) []: example.stanford.edu [This needs to match the HOSTNAME/IP of the SSO Connect configuration]

  • Email Address []:

12. pkcs12 -inkey <hostname>.key -in <hostname>.pem -export -out <hostname>.pfx

Creating a PKCS#12 Signed Certificate from Existing Certificate - Windows

Download a copy of an OpenSSL Binary from this site:

Run as admin and take the default settings. Open command prompt:

  • mkdir c:\<hostname>

  • cd \<hostname>

  • set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

  • c:\OpenSSL-Win32\bin\openssl.exe

Place your private key (e.g. privateKey.key) and public key (e.g. certificate.crt) and the CA certificate chain (e.g. CACert.crt) in this folder. Then run this command:

  • openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

You may get prompted for the passphrase on the private key. The output file (certificate.pfx) can be uploaded into SSO Connect interface. If a keystore passphrase was set, enter the passphrase on the SSO Connect interface.