How to create an Embedded Certificate with OpenSSL
This guide explains how to generate a X.509 certificate that meets the certificate requirements for the SWITCHaai federation to be embedded in SAML metadata.
To custom-tailor the instructions provide the hostname part of the Service Provider's entityID for which to generate the certificate:
Fully Qualified Domain Name
Key File Name
Certificate File Name
OpenSSL configuration file (customized)
On a host where OpenSSL is installed, perform the following steps:
- Create an OpenSSL configuration file selfsigned-cert.cnf with the following content:
[req] default_bits=3072 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=sp-key.pem [dn] CN=sp.example.org [ext] subjectAltName=DNS:sp.example.org subjectKeyIdentifier=hash
- Run the following command to create a new key pair with a self-signed certificate valid 10 years (3700 days):
$ openssl req -new -x509 -config selfsigned-cert.cnf -out sp-cert.pem -days 3700
You may reuse an existing key pair and only generate a new self-signed certificate with this command:
$ openssl req -new -x509 -config selfsigned-cert.cnf -key sp-key.pem -out sp-cert.pem -days 3700
- Configure your SAML Service Provider to use this key pair sp-key.pem and sp-cert.pem to decrypt SAML assertions and sign SAML requests.
Certificate
The generated certificate should look like below if dumped with the command:
$ openssl x509 -in sp-cert.pem
-nameopt show_type,sep_comma_plus_space -text
Certificate: Data: Version: 3 (0x2) Serial Number: 99:49:f1:2e:3b:75:85:51 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=PRINTABLESTRING:sp.example.org Validity Not Before: Mar 30 08:05:33 2021 GMT Not After : May 17 08:05:33 2031 GMT Subject: CN=PRINTABLESTRING:sp.example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:96:b7:88:d3:52:8c:25:41:79:5c:60:98:05:98: 81:13:38:74:f8:df:46:04:e9:ca:e0:15:99:c5:80: 8b:76:e9:e2:d8:e7:05:a7:5d:3a:e7:6a:27:2c:23: 37:3c:a9:a5:27:36:27:13:f1:1d:e0:d5:6a:c0:1b: 83:9d:11:19:77:03:e2:87:b4:41:4b:93:a0:b4:36: 0b:1f:79:64:f4:74:17:b9:8a:e3:ef:c4:b9:77:2d: 2f:a9:43:e3:79:d9:d1:cd:b8:37:9f:dd:cf:a4:50: 55:90:e6:f3:42:7c:b1:51:df:ce:e3:00:7f:d9:c9: ba:19:43:b0:8b:84:b1:d7:38:a3:d8:3a:32:f5:8b: cc:56:01:59:2e:c4:1d:5c:2e:b2:d7:08:9d:27:a8: 73:64:69:bb:88:21:d0:d5:3f:3e:fe:71:14:ee:e5: df:13:a0:c2:f6:d2:34:46:25:55:d4:ff:d9:5a:32: 2c:8d:30:76:5e:b4:d4:e4:3c:0d:6b:2b:3a:c5:1c: 73:f0:a9:2d:ef:1e:17:11:69:74:ef:04:ee:c5:3c: 79:c6:c3:f3:74:47:fb:c6:a4:b2:fd:ae:5b:36:8f: 12:54:05:3d:13:e9:ed:74:d7:4e:c0:ab:82:20:0e: 55:ba:55:4c:32:e1:c3:6a:73:80:44:5c:df:cf:b9: e7:fd:17:99:65:14:80:81:0c:8b:44:81:56:91:34: 4e:66:a4:e8:da:72:27:a7:9e:22:0c:24:e4:84:4c: 3c:10:20:6c:dc:1c:b8:32:c3:3a:9a:58:33:dc:4a: ae:be:25:4f:6b:5b:39:0b:9d:70:96:b7:35:a5:fd: 27:1c:2e:4b:93:14:1a:96:12:3b:89:9d:c6:63:b1: d3:54:cd:4d:16:f2:3e:45:e4:4b:1a:46:ea:dd:07: d1:87:51:b6:40:c8:44:73:d1:ca:91:29:8d:54:3a: 62:a3:6a:72:18:aa:ba:f5:61:85:3b:b8:51:9e:5e: fd:34:e1:a7:b3:97:98:9f:42:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:sp.example.org X509v3 Subject Key Identifier: 92:00:04:2B:63:03:B4:AE:E5:32:5D:8C:0D:D9:21:18:73:2C:DD:C7 Signature Algorithm: sha256WithRSAEncryption 70:bf:89:7e:cf:f3:a3:45:39:1a:95:92:00:0d:7a:23:6f:96: 94:7d:e2:09:f4:ec:5b:af:23:6b:fc:e5:91:b4:f1:f4:02:b0: 9c:48:0f:51:50:09:f3:41:c3:49:31:59:3d:17:f7:26:9b:b0: ee:e4:df:d5:d4:94:ae:3b:bd:5e:47:84:a9:b2:dd:1b:59:ab: 79:59:af:8f:80:98:aa:c4:66:7d:5f:02:e3:ab:59:c7:91:aa: 57:64:8c:1f:f1:dd:e5:59:3a:97:75:0b:b3:dd:b9:13:80:6d: 15:48:ce:3d:a0:a6:64:18:cb:0d:7b:a7:5d:1a:83:cb:db:cf: 4e:6c:39:5d:27:5d:17:0e:1f:e7:a1:46:13:a4:d7:88:48:79: 85:65:79:af:7e:55:a4:11:8d:8d:25:df:e9:a7:34:d0:de:b3: 5e:eb:3c:a5:ca:00:31:6e:97:4a:a3:ef:8e:29:39:ad:aa:f8: 30:80:ed:09:bf:65:c9:80:4f:c1:10:1a:4f:b8:07:a0:83:1e: db:b6:c8:ea:14:9a:fd:d4:15:2c:8a:7a:47:fd:20:1a:97:ce: 3e:d5:19:13:b4:47:55:fd:98:49:d4:a3:a8:5a:aa:e4:c6:c7: 9b:7c:b0:19:1f:d1:ad:b2:24:25:85:46:d3:de:19:f0:6e:03: 52:23:3d:11:c0:11:99:aa:d5:af:ad:83:66:2e:9b:e5:98:32: d7:48:c8:db:be:f4:87:b8:f4:4c:fa:36:da:05:dc:c6:6c:85: 5b:43:b2:44:54:0e:74:dd:b2:04:a7:3e:58:66:74:d4:49:a4: 5a:bb:1f:9f:50:9a:86:2b:29:7e:4a:69:31:b6:7a:0a:cf:91: 08:62:ce:e2:34:ab:d2:36:85:c7:ae:42:ab:25:5c:8e:51:48: 5a:a1:1c:92:90:71:71:60:b1:c7:f4:76:0a:99:cb:9b:45:4f: ed:94:31:25:8a:79:30:3e:81:f4:44:03:bb:bb:c8:74:a4:b7: 2a:81:48:10:89:98 -----BEGIN CERTIFICATE----- MIID9zCCAl+gAwIBAgIJAJlJ8S47dYVRMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV BAMTEHRlc3QuZXhhbXBsZS5vcmcwHhcNMjEwMzMwMDgwNTMzWhcNMzEwNTE3MDgw NTMzWjAbMRkwFwYDVQQDExB0ZXN0LmV4YW1wbGUub3JnMIIBojANBgkqhkiG9w0B AQEFAAOCAY8AMIIBigKCAYEAlreI01KMJUF5XGCYBZiBEzh0+N9GBOnK4BWZxYCL duni2OcFp10652onLCM3PKmlJzYnE/Ed4NVqwBuDnREZdwPih7RBS5OgtDYLH3lk 9HQXuYrj78S5dy0vqUPjednRzbg3n93PpFBVkObzQnyxUd/O4wB/2cm6GUOwi4Sx 1zij2Doy9YvMVgFZLsQdXC6y1widJ6hzZGm7iCHQ1T8+/nEU7uXfE6DC9tI0RiVV 1P/ZWjIsjTB2XrTU5DwNays6xRxz8Kkt7x4XEWl07wTuxTx5xsPzdEf7xqSy/a5b No8SVAU9E+ntdNdOwKuCIA5VulVMMuHDanOARFzfz7nn/ReZZRSAgQyLRIFWkTRO ZqTo2nInp54iDCTkhEw8ECBs3By4MsM6mlgz3EquviVPa1s5C51wlrc1pf0nHC5L kxQalhI7iZ3GY7HTVM1NFvI+ReRLGkbq3QfRh1G2QMhEc9HKkSmNVDpio2pyGKq6 9WGFO7hRnl79NOGns5eYn0K/AgMBAAGjPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhh bXBsZS5vcmcwHQYDVR0OBBYEFJIABCtjA7Su5TJdjA3ZIRhzLN3HMA0GCSqGSIb3 DQEBCwUAA4IBgQBwv4l+z/OjRTkalZIADXojb5aUfeIJ9OxbryNr/OWRtPH0ArCc SA9RUAnzQcNJMVk9F/cmm7Du5N/V1JSuO71eR4Spst0bWat5Wa+PgJiqxGZ9XwLj q1nHkapXZIwf8d3lWTqXdQuz3bkTgG0VSM49oKZkGMsNe6ddGoPL289ObDldJ10X Dh/noUYTpNeISHmFZXmvflWkEY2NJd/ppzTQ3rNe6zylygAxbpdKo++OKTmtqvgw gO0Jv2XJgE/BEBpPuAeggx7btsjqFJr91BUsinpH/SAal84+1RkTtEdV/ZhJ1KOo WqrkxsebfLAZH9GtsiQlhUbT3hnwbgNSIz0RwBGZqtWvrYNmLpvlmDLXSMjbvvSH uPRM+jbaBdzGbIVbQ7JEVA503bIEpz5YZnTUSaRaux+fUJqGKyl+SmkxtnoKz5EI Ys7iNKvSNoXHrkKrJVyOUUhaoRySkHFxYLHH9HYKmcubRU/tlDElinkwPoH0RAO7 u8h0pLcqgUgQiZg= -----END CERTIFICATE-----