How to create an Embedded Certificate with OpenSSL
This guide explains how to generate a X.509 certificate that meets the certificate requirements for the Switch edu-ID federation to be embedded in SAML metadata.
To custom-tailor the instructions provide the hostname part of the Service Provider's entityID for which to generate the certificate:
Fully Qualified Domain Name
Key File Name
Certificate File Name
OpenSSL configuration file (customized)
On a host where OpenSSL is installed, perform the following steps:
- Create an OpenSSL configuration file selfsigned-cert.cnf with the following content:
[req] default_bits=3072 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=sp-key.pem [dn] CN=sp.example.org [ext] subjectAltName=DNS:sp.example.org subjectKeyIdentifier=hash
- Run the following command to create a new key pair with a self-signed certificate valid 10 years (3700 days):
$ openssl req -new -x509 -config selfsigned-cert.cnf -out sp-cert.pem -days 3700
You may reuse an existing key pair and only generate a new self-signed certificate with this command:
$ openssl req -new -x509 -config selfsigned-cert.cnf -key sp-key.pem -out sp-cert.pem -days 3700 - Configure your SAML Service Provider to use this key pair sp-key.pem and sp-cert.pem to decrypt SAML assertions and sign SAML requests.
Certificate
The generated certificate should look like below if dumped with the command:
$ openssl x509 -in sp-cert.pem
-nameopt show_type,sep_comma_plus_space -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:49:f1:2e:3b:75:85:51
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=PRINTABLESTRING:sp.example.org
Validity
Not Before: Mar 30 08:05:33 2021 GMT
Not After : May 17 08:05:33 2031 GMT
Subject: CN=PRINTABLESTRING:sp.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:96:b7:88:d3:52:8c:25:41:79:5c:60:98:05:98:
81:13:38:74:f8:df:46:04:e9:ca:e0:15:99:c5:80:
8b:76:e9:e2:d8:e7:05:a7:5d:3a:e7:6a:27:2c:23:
37:3c:a9:a5:27:36:27:13:f1:1d:e0:d5:6a:c0:1b:
83:9d:11:19:77:03:e2:87:b4:41:4b:93:a0:b4:36:
0b:1f:79:64:f4:74:17:b9:8a:e3:ef:c4:b9:77:2d:
2f:a9:43:e3:79:d9:d1:cd:b8:37:9f:dd:cf:a4:50:
55:90:e6:f3:42:7c:b1:51:df:ce:e3:00:7f:d9:c9:
ba:19:43:b0:8b:84:b1:d7:38:a3:d8:3a:32:f5:8b:
cc:56:01:59:2e:c4:1d:5c:2e:b2:d7:08:9d:27:a8:
73:64:69:bb:88:21:d0:d5:3f:3e:fe:71:14:ee:e5:
df:13:a0:c2:f6:d2:34:46:25:55:d4:ff:d9:5a:32:
2c:8d:30:76:5e:b4:d4:e4:3c:0d:6b:2b:3a:c5:1c:
73:f0:a9:2d:ef:1e:17:11:69:74:ef:04:ee:c5:3c:
79:c6:c3:f3:74:47:fb:c6:a4:b2:fd:ae:5b:36:8f:
12:54:05:3d:13:e9:ed:74:d7:4e:c0:ab:82:20:0e:
55:ba:55:4c:32:e1:c3:6a:73:80:44:5c:df:cf:b9:
e7:fd:17:99:65:14:80:81:0c:8b:44:81:56:91:34:
4e:66:a4:e8:da:72:27:a7:9e:22:0c:24:e4:84:4c:
3c:10:20:6c:dc:1c:b8:32:c3:3a:9a:58:33:dc:4a:
ae:be:25:4f:6b:5b:39:0b:9d:70:96:b7:35:a5:fd:
27:1c:2e:4b:93:14:1a:96:12:3b:89:9d:c6:63:b1:
d3:54:cd:4d:16:f2:3e:45:e4:4b:1a:46:ea:dd:07:
d1:87:51:b6:40:c8:44:73:d1:ca:91:29:8d:54:3a:
62:a3:6a:72:18:aa:ba:f5:61:85:3b:b8:51:9e:5e:
fd:34:e1:a7:b3:97:98:9f:42:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:sp.example.org
X509v3 Subject Key Identifier:
92:00:04:2B:63:03:B4:AE:E5:32:5D:8C:0D:D9:21:18:73:2C:DD:C7
Signature Algorithm: sha256WithRSAEncryption
70:bf:89:7e:cf:f3:a3:45:39:1a:95:92:00:0d:7a:23:6f:96:
94:7d:e2:09:f4:ec:5b:af:23:6b:fc:e5:91:b4:f1:f4:02:b0:
9c:48:0f:51:50:09:f3:41:c3:49:31:59:3d:17:f7:26:9b:b0:
ee:e4:df:d5:d4:94:ae:3b:bd:5e:47:84:a9:b2:dd:1b:59:ab:
79:59:af:8f:80:98:aa:c4:66:7d:5f:02:e3:ab:59:c7:91:aa:
57:64:8c:1f:f1:dd:e5:59:3a:97:75:0b:b3:dd:b9:13:80:6d:
15:48:ce:3d:a0:a6:64:18:cb:0d:7b:a7:5d:1a:83:cb:db:cf:
4e:6c:39:5d:27:5d:17:0e:1f:e7:a1:46:13:a4:d7:88:48:79:
85:65:79:af:7e:55:a4:11:8d:8d:25:df:e9:a7:34:d0:de:b3:
5e:eb:3c:a5:ca:00:31:6e:97:4a:a3:ef:8e:29:39:ad:aa:f8:
30:80:ed:09:bf:65:c9:80:4f:c1:10:1a:4f:b8:07:a0:83:1e:
db:b6:c8:ea:14:9a:fd:d4:15:2c:8a:7a:47:fd:20:1a:97:ce:
3e:d5:19:13:b4:47:55:fd:98:49:d4:a3:a8:5a:aa:e4:c6:c7:
9b:7c:b0:19:1f:d1:ad:b2:24:25:85:46:d3:de:19:f0:6e:03:
52:23:3d:11:c0:11:99:aa:d5:af:ad:83:66:2e:9b:e5:98:32:
d7:48:c8:db:be:f4:87:b8:f4:4c:fa:36:da:05:dc:c6:6c:85:
5b:43:b2:44:54:0e:74:dd:b2:04:a7:3e:58:66:74:d4:49:a4:
5a:bb:1f:9f:50:9a:86:2b:29:7e:4a:69:31:b6:7a:0a:cf:91:
08:62:ce:e2:34:ab:d2:36:85:c7:ae:42:ab:25:5c:8e:51:48:
5a:a1:1c:92:90:71:71:60:b1:c7:f4:76:0a:99:cb:9b:45:4f:
ed:94:31:25:8a:79:30:3e:81:f4:44:03:bb:bb:c8:74:a4:b7:
2a:81:48:10:89:98
-----BEGIN CERTIFICATE-----
MIID9zCCAl+gAwIBAgIJAJlJ8S47dYVRMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEHRlc3QuZXhhbXBsZS5vcmcwHhcNMjEwMzMwMDgwNTMzWhcNMzEwNTE3MDgw
NTMzWjAbMRkwFwYDVQQDExB0ZXN0LmV4YW1wbGUub3JnMIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEAlreI01KMJUF5XGCYBZiBEzh0+N9GBOnK4BWZxYCL
duni2OcFp10652onLCM3PKmlJzYnE/Ed4NVqwBuDnREZdwPih7RBS5OgtDYLH3lk
9HQXuYrj78S5dy0vqUPjednRzbg3n93PpFBVkObzQnyxUd/O4wB/2cm6GUOwi4Sx
1zij2Doy9YvMVgFZLsQdXC6y1widJ6hzZGm7iCHQ1T8+/nEU7uXfE6DC9tI0RiVV
1P/ZWjIsjTB2XrTU5DwNays6xRxz8Kkt7x4XEWl07wTuxTx5xsPzdEf7xqSy/a5b
No8SVAU9E+ntdNdOwKuCIA5VulVMMuHDanOARFzfz7nn/ReZZRSAgQyLRIFWkTRO
ZqTo2nInp54iDCTkhEw8ECBs3By4MsM6mlgz3EquviVPa1s5C51wlrc1pf0nHC5L
kxQalhI7iZ3GY7HTVM1NFvI+ReRLGkbq3QfRh1G2QMhEc9HKkSmNVDpio2pyGKq6
9WGFO7hRnl79NOGns5eYn0K/AgMBAAGjPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhh
bXBsZS5vcmcwHQYDVR0OBBYEFJIABCtjA7Su5TJdjA3ZIRhzLN3HMA0GCSqGSIb3
DQEBCwUAA4IBgQBwv4l+z/OjRTkalZIADXojb5aUfeIJ9OxbryNr/OWRtPH0ArCc
SA9RUAnzQcNJMVk9F/cmm7Du5N/V1JSuO71eR4Spst0bWat5Wa+PgJiqxGZ9XwLj
q1nHkapXZIwf8d3lWTqXdQuz3bkTgG0VSM49oKZkGMsNe6ddGoPL289ObDldJ10X
Dh/noUYTpNeISHmFZXmvflWkEY2NJd/ppzTQ3rNe6zylygAxbpdKo++OKTmtqvgw
gO0Jv2XJgE/BEBpPuAeggx7btsjqFJr91BUsinpH/SAal84+1RkTtEdV/ZhJ1KOo
WqrkxsebfLAZH9GtsiQlhUbT3hnwbgNSIz0RwBGZqtWvrYNmLpvlmDLXSMjbvvSH
uPRM+jbaBdzGbIVbQ7JEVA503bIEpz5YZnTUSaRaux+fUJqGKyl+SmkxtnoKz5EI
Ys7iNKvSNoXHrkKrJVyOUUhaoRySkHFxYLHH9HYKmcubRU/tlDElinkwPoH0RAO7
u8h0pLcqgUgQiZg=
-----END CERTIFICATE-----