Creating SSL Certificates
Creating SSL Certificates on Windows
This document provides step by step instructions on generating an SSL certificate for use in Keeper SSO Connect On-Prem. For existing environments, this action must be performed before your SSL certificate expires.
If you are using Linux, there is no need to install a binary version of OpenSSL. The instructions below here focus on Windows environments.

Creating a new SSL Certificate signed by a Certificate Authority - Windows

(1) Download and install OpenSSL version 1.1.1. Version 3.0 of OpenSSL appears to have compatibility issues with Java 11, so we are recommending to use version 1.1.1 for now. For convenience, a 3rd party (slproweb.com) has created a binary installer. A popular binary installer is linked below:
https://slproweb.com/download/Win32OpenSSL_Light-1_1_1n.exe
During install, the default options can be selected. In the install process, you may be asked to also install a Microsoft Visual Studio extension. Go ahead and follow the instructions to install this extension before completing the OpenSSL setup.
(2) Run the OpenSSL Command Prompt
In your Start Menu there will be an OpenSSL folder. Click on the OpenSSL Command Prompt.
(3) On the OpenSSL Command Prompt, run the below command to create a private key.
1
C:\Users\craig> openssl genrsa -out keeper.mycompany.com.key
Copied!
(4) Generate a CSR, making sure to use the hostname which you plan to use for SSO Connect. In this case, we will be using keeper.mycompany.com. The important item here is that the Common Name matches exactly to the domain.
Example:
1
C:\Users\craig> openssl req -new -key keeper.mycompany.com.key -out keeper.mycompany.com.csr
2
3
Country Name (2 letter code) [XX]:US
4
State or Province Name (full name) []:Illinois
5
Locality Name (eg, city) [Default City]:Chicago
6
Organization Name (eg, company) [Default Company Ltd]:Lurey, LLC
7
Organizational Unit Name (eg, section) []:Engineering
8
Common Name []:keeper.mycompany.com
9
Email Address []:[email protected]
Copied!
(5) Purchase an SSL certificate and Submit the CSR to your SSL certificate provider.
Follow your vendor’s instructions for completing the certificate request. You will then need to wait for your certificate to be issued by your SSL Certificate provider. This can take anywhere between 5 minutes and 24 hours -- check with your vendor regarding their turnaround time.
The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert (.ca-bundle). Unzip this file into the same location as the private key.
(6) After the certificate has been issued, it needs to be converted to .pfx format. From the OpenSSL Command Prompt in the same folder as the .key, .crt and .ca-bundle file, run the below command.
1
openssl pkcs12 -export -out keeper.mycompany.com.pfx -inkey keeper.mycompany.com.key -in keeper.mycompany.com.crt -certfile keeper.mycompany.com.ca-bundle
2
3
Enter Export Password: **********
4
Verifying - Enter Export Password: **********
Copied!
In this example...
  • keeper.mycompany.com.key is the private key generated in step 1.
  • keeper.mycompany.com.crt is the signed certificate delivered in step 3.
  • keeper.mycompany.com.ca-bundle is the CA bundle containing intermediate and root public certificate chains
  • keeper.mycompany.com.pfx is the pkcs12 output file used by SSO Connect that has been encrypted with a password.
Make sure to save all 3 files and the generated strong password in your Keeper vault. Note: The generated key password should not contain special characters.
You will need this password when importing the PFX file into Keeper SSO Connect Interface. (7) Install the Certificate
Back in SSO Connect, click “⚙️Configuration”:
(8) Drag or upload the .pfx file you just generated into SSO Connect:
(9) Click “Save” in the upper right hand corner of SSO Connect and your certificate configuration should be complete.