Appendix - Creating Certificates

Creating a new SSL Certificate signed by a Certificate Authority - Windows

  1. Download a copy of the OpenSSL 32-bit binary from https://slproweb.com/products/Win32OpenSSL.html

  2. Install OpenSSL to C:\OpenSSL-Win32

  3. If prompted during installation, copy OpenSSL DLLs to the /bin directory

  4. Once installed, open a Command Prompt (cmd.exe) and run the following commands: cd C:\OpenSSL-Win32\bin set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg openssl genrsa -out keeper-sso.key 2048 openssl req -new -key keeper-sso.key -out keeper-sso_csr.txt

  5. You will then be prompted with a series of questions -- answer the questions with information pertinent to your organization. Example:

Country Name (2 letter code) []: US
State or Province Name (full name) []: California
Locality Name (e.g., city) []: San Francisco
Organization Name (e.g., company) []: Flying Cars, Inc.
Organizational Unit Name (e.g., section) []: Corporate
Common Name (e.g., web.stanford.edu) []: www.flyingcars.com [This needs to match the HOSTNAME of the SSO Connect configuration]
Email Address []: cto@flyingcars.com

Once completed, your new CSR file (keeper-sso_csr.txt) will be generated. Make note of the path of the CSR file (it should be in C:\OpenSSL-Win32\bin).

10. Upload the CSR file to your organization’s SSL Certificate provider, or purchase an SSL certificate from one of the following providers: Comodo/Sectigo GoDaddy Namecheap Network Solutions Thawte

You can also get a free 30 day SSL certificate which is a great way to verify if everything is working before you purchase an SSL cert. The following providers provide free SSL certificates:

Comodo SSL.com (90 days) ZeroSSL

Follow your vendor’s instructions for completing the certificate request. You will then need to wait for your certificate to be issued by your SSL Certificate provider. This can take anywhere between 5 minutes and 24 hours -- check with your vendor regarding their turnaround time.

11. Once you receive your newly issued certificate bundle (usually a .zip file), place the public key (e.g. certificate.crt), and any other intermediate certificates (e.g. CACert.crt, USERTrust.crt, etc.) in C:\OpenSSL-Win32\bin. The private key file you created (keeper-sso.key) should already be in this directory.

12. Open a Command Prompt (cmd.exe) and run the following commands: cd C:\OpenSSL-Win32\bin openssl pkcs12 -export -out keeper-sso.pfx -inkey keeper-sso.key -in keeper-sso.crt -certfile CAcert.crt -certfile IntermediateCert.crt

You will be prompted to enter a password to protect the generated PFX file. You willl need this password when importing the PFX file into Keeper SSOConnect. 15. Back in SSO Connect, click “⚙️Configuration”:

16. Drag or upload the keeper-sso.pfx file you just generated into SSO Connect:

17. Click “Save” in the upper right hand corner of SSO Connect and your certificate configuration should be complete.

Creating a PKCS#12 Signed Certificate from an Existing Certificate - Windows

Download a copy of an OpenSSL Binary from this site:

Open a command prompt and enter:

mkdir c:<hostname>
cd <hostname>
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
c:\OpenSSL-Win32\bin\openssl.exe

Place your private key (e.g. privateKey.key), public key (e.g. certificate.crt), and the CA certificate chain (e.g. CACert.crt) in this folder. Then run this command:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

You may get prompted for the passphrase on the private key. The output file certificate.pfx can be uploaded into the SSO Connect interface. If a keystore passphrase was set, enter the passphrase on the SSO Connect interface.