By hubertsblog on Nov 11, 2008
Browsing here and there I gathered the following steps to create a set of public/private keys to digitally sign messages (or assertions) along with the corresponding X.509 certificate (for the public key). The following steps assume OS X but most of it, being based on openssl, is pretty UNIX generic. Hopefully it can save someone else from searching for such info...
- Creating key pair
keytool -genkey -alias SL -keyalg RSA -validity 365 -keystore keys/my.keystore
- Displaying the result
keytool -list -keystore my.keystore
keytool -list -v -keystore my.keystore
- Creating a CSR
keytool -certreq -keystore keys/my.keystore -alias sl -file SL_certification_signing_Request.pem
openssl req -noout -text -in SL_certification_signing_Request.pem
- Resetting counter to 0
echo 00 > demoCA/serial
- Creating a CA
[You'll need to remember that PEM pass phrase]
- Signing the certificate request
openssl ca -in SL_certification_signing_Request.pem -out signed_cert_request.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem
- Verifying that the client cert was indeed signed by the CA
openssl verify -CAfile demoCA/cacert.pem signed_cert_request.pem
Additionaly, you may have to convert the certificate to something that's easier to deal with programmatically.
I have successfully used the following commands to do so:
- Converting signed certificate into file certificate with only data between "----CERTIFICATE---"
openssl x509 -in signed_cert_request.pem -out signed2_cert_request.pem
- Converting certificate into a PKCS#7 file
openssl crl2pkcs7 -nocrl -certfile signed2_cert_request.pem -certfile demoCA/cacert.pem -outform DER -out certificate.p7c