How to create a self-signed x509 certificate with both private and public keys?
Solution 1
In order to generate a self-signed cert you need openssl library so:
Debian:
apt-get install openssl
Centos/RedHat:
yum install openssl
Then follow this 3 steps:
-
Generate private key:
openssl genrsa -out server.pem 2048
-
Generate CSR: (In the "Common Name" set the domain of your service provider app)
openssl req -new -key server.pem -out server.csr
-
Generate Self Signed Cert
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
At the end of the process you will get server.csr (certificate signing request), server.pem (private key) and server.crt (self signed cert)
In windows you can use makecert.exe
Solution 2
I used the SelfSSL tool for Windows when putting together an ADFS proof of concept. Specifically, this guy has an enhanced version for IIS7.
A sample command:
selfssl7.exe /N cn=www.example.com /K 2048 /V 3652 /X /F C:\example.pfx /W foo
Generates "example.pfx" file with a 2048-bit key, valid for ~10 years, with password "foo" protecting the private key, with common name "www.example.com". You can import this to your local machine's certificate store and then export it as a .cer file with or without the private key info as desired.
Brian David Berman
Updated on April 24, 2020Comments
-
Brian David Berman about 4 years
I am creating an SSO "proof of concept" using SAML2 and ADFS2 (IdP). Log In is working fine, however ADFS2 is requiring that my Logout request be signed (with a private key) and then I would imagine that I would then add that very same certificate (.cer file) under the Signature tab within my Relying Party Trusts in ADFS2. The only problem is that I don't have a certificate for my app (service provider). I understand that I can create a self-signed cert for this purpose but I can't seem to figure out how to create one with everything I need.
-
Brian David Berman over 11 yearsIt seems that ADFS is requiring a .cer, .sst or .p7b file. Are either of those possible with your solution?
-
smartin over 11 yearsYou can use x509 cert for "Token-signing certificate" in ADFS 2.0: technet.microsoft.com/en-us/library/dd807040%28v=WS.10%29.aspx The .pb7 is a cert file of the type application/x-pkcs7-certificates To convert from the actual format (PEM or DER) to the pkcs7 format, you can execute: openssl crl2pkcs7 -nocrl -certfile server.crt -out server.p7b .The .sst files are in format application/vnd.ms-pki.certstore Don't know how convert it with openssl
-
smartin over 11 years.crt and .pem are extension that I used. You can rename them: server.pem to server-private-key.cer server.crt to server-self-signed-cert.cer
-
Brian David Berman over 11 years@Sean - And this cert will be able to be used as a way to sign (private key) a Single Log Out request (for example) sent over to ADFS in which ADFS uses the public key to verify? Thanks so much.
-
Brian David Berman over 11 yearsSean - When I go to export with private key, I don't get .cer as an option, only .pfx. Is that normal?
-
Sean Hanley over 11 years@Brian Yes, that's normal. CER format cannot carry additional data like the private key. I believe PFX is more like a container format for lots of different kinds of security data, so it can handle bundling a certificate and key together.
-
smartin about 9 yearsYou can also use this online tool: samltool.com/self_signed_certs.php
-
tony.0919 almost 9 yearsYou can use
openssl req -new -x509 -key privateKey.pem -out cert.cer -days 365
to create a .cer format file from private key. -
smartin about 6 yearsIs also important when generating the pivate key to do it to a robust alg, for example use the -sha512 option