Generating Self Signed Certificate

  1. Generating Self Signed Certificate Java
  2. Generate Self Signed Ssl Cert
  3. Generating Self Signed Certificate Windows

For testing purposes, it is necessary to generate secure self-signed server and client certificates. However, I have found that many tutorials available on the web are complicated, and they do not cover certificates that use safe algorithms. And so, since “necessity is the mother of invention”, I decided to create a simple tutorial and share it with all of you!

Why OpenSSL?

I choose to use OpenSSL because it is available on all platforms (Linux, macOS, Windows) which means this tutorial can be followed on any platforms.

About the Steps

How to generate a self-signed certificate (cert.pem) from a certificate request file (cert.csr).Perform the following steps: Create a Certificate Signing Request (cert.csr).Create a certificate file (cert.pem) from your private key (nopwdkey.pem) and certificate request file (cert.csr) using the following command (valid for 365 days): openssl x509 -in cert.csr -out cert.pem -req -signkey. On 20 August 2020, the SSL Certificate on IAS and Db2 Warehouse systems expired. To get customers operational as quickly as possible, an IBM certificate was used. Since then, IBM has developed an updated SSL Certificate strategy using a self-signed certificate. Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. For additional parameter information, see New-SelfSignedCertificate. From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console with elevated privileges. These examples do not work in the Azure Cloud Shell 'Try It'. Creating a Self Signed Certificate on IIS While there are several ways to accomplish the task of creating a self signed certificate, we will use the SelfSSL utility from Microsoft. Unfortunately, this doesn’t ship with IIS but it is freely available as part of the IIS 6.0 Resource Toolkit (link provided at the bottom of this article).

While there are many steps in this process, please do not worry. My goal is to make this as simple as possible for you, and so I have broken every action down into a single step. This way, everything should be clear, and my hope is that you won’t waste time or get frustrated along the way. There is one requirement before starting all of this, you’ll need to have OpenSSL. Ok, ready? Let’s get started!

Step 1 - Certificate Authority

Step 1.1 - Generate the Certificate Authority (CA) Private Key

Every certificate must have a corresponding private key. Generate this using the following command line:

This will create a 256-bit private key over an elliptic curve, which is the industry standard. We know that Curve25519 is considered safer than this NIST P-256 curve but it is only standardized in TLS 1.3 which is not yet widely supported.

Step 1.2 - Generate the Certificate Authority Certificate

The CA generates and issues certificates. Here is a link to additional resources if you wish to learn more about this.

Generate the Root CA certificate using the following command line:

You will be prompted to provide some information about the CA. Here is what the request looks like:

Below is an example using information that is specific to Devolutions (replace with your own specific information):

Your CA will be created once you enter your information.

Step 2: Server Certificate

This step may be repeated for each server you need.

Step 2.1 - Generate the Server Certificate Private Key

To generate the server private key, use the following command line:This will create the file name server.key.

Step 2.2 - Generate the Server Certificate Signing Request

Generating self signed certificate mac

Generating Self Signed Certificate Java

To generate the server certificate signing request, use the following command line:

For maximum security, we strongly recommend that the signing request should only be generated on the server where the certificate will be installed. The server private key should never leave the server!

You will be prompted to provide some information about the server certificate. You can enter the same information you used for the CA certificate. For example:

Generate Self Signed Ssl Cert

In addition, you will be prompted to create a password. Make sure to use a long, strong, and unique password. Here is an example (do not use this one!):

Step 2.3 - Generate the Server Certificate

You are now ready to generate the server certificate, which can be done through the following command line:

Generating Self Signed Certificate Windows

This step should only be performed on the Certificate Authority server as the CA private key should never leave the host where it has been generated. You must transfer the signing request to the CA server.

Step 3: Client Certificate

SignedThis step may be repeated for each client you need.

Step 3.1 - Generate the Client Certificate Private Key

Use the following command line to create the client certificate private key:This will create a file named “client1.key”.

Step 3.2 - Create the Client Certificate Signing Request

You need to create a signing request to generate a certificate with the CA. Use the following command line:

For maximum security, we strongly recommend that the certificate signing request should only be generated on the client where the certificate will be installed. The client private key should never leave the client!

Next, you will be prompted to submit information about the client certificate. You can enter the same information as the CA certificate, except for the last two entries: Common Name and Email Address. These should be the name and email of an individual and not your company. For example:

You will also be asked to set a password on the certificate signing request. Once again, make sure that you choose a strong and safe password. Here is an example (do not use this one!):

Generate self signed certificate

Step 3.3 - Generate the Client Certificate

You are now ready to generate the client certificate, which can be done through the following command line:

This step should only be performed on the Certificate Authority server as the CA private key should never leave the host where it has been generated. You must transfer the signing request to the CA server.

We recommend generating a single certificate for each client, as this lets you quickly identify the affected client in the event if an issue or problem.For maximum security, the client private key should remain on the client and never be copied on another host.

I hope that you’ve found this tutorial simple and helpful. If you have any questions or comments, please post your feedback below!

I do not currently have a self-signed certificate, but I would like to generate.

The following section will describe how to use XTAM to create your own self-signed certificate (in JKS format) and then configure XTAM to use it.

Please note that this self-signed certificate may not be trusted by all your internet browser, so you may still receive a browser security warning.

  1. Login to the server where XTAM is installed.
  2. Open a command line and navigate to the folder where XTAM is installed {$XTAM_HOME} and issue the following command:
    1. For Windows, substitute your PATH_TO_KEY_STORE.jks with a location where the certificate file will be created and its name (for example, c:xtamcontentkeysxtamcert.jks). ALIAS_NAME is a unique identifying string for the key and can be any value, avoiding spaces and special characters (for example, xtamcert)

    2. For Unix or Linux, substitute your PATH_TO_KEY_STORE.jks with a location where the certificate file will be created and its name. ALIAS_NAME is a unique identifying string for the key and can be any value, avoiding spaces and special characters:

  3. After the command is issued, you will be prompted for a number of values. Enter values as described below:
    1. Keystore Password: Create a password for the keystore directory defined in the PATH_TO_KEY_STORE location.

    2. First and Last Name: The domain name of the server. It looks wrong, but you need to enter the domain name for the certificate here. For example, xtam.company.com.
    3. Organizational Unit: Your department name.

    4. Organization: Your company name.

    5. City or Locality: Your city or locality name.

    6. State or Province: Your state or province name.

    7. Country Code: Your two letter country code.

  4. Confirm you information by entering y for Yes.
  5. Create a new password for the key (as defined by its alias name) or reuse the keystore password by pressing the Enter key.
  6. The certificate will now be generated in the location defined in PATH_TO_KEY_STORE.jks
  7. Now we want to encrypt your key password. In the same command line, issue the following command:
    1. For Windows:
    2. For Unix or Linux:
  8. When prompted, enter your key password (the password from step 5) and press Enter to continue. The command output will display the full encrypted password string after the Ok: prefix.
  9. Now that we have your new certificate (PATH_TO_KEY_STORE.jks) and its encrypted password its time to configure it for use by XTAM. Open the file: {XTAM_HOME}/web/conf/catalina.properties
  10. Scroll down or search for the section labeled # SSL Certificate
  11. In this section, replace the existing path and password with your new certificate and its password.
    1. xtam.cert.path={PATH_TO_KEY_STORE.jks}
    2. xtam.cert.password={yourEncryptedPasswordString}
  12. Save and close this file.
  13. Restart the PamManagement (Windows) or pammanager (Linux) service.
  14. Open your browser and navigate to the new login page. Remember, the XTAM login will now be located at the domain defined in the certificate. For example, https://xtam.company.com:6443/xtam.

To summarize, you now have generated your own certificate, an encrypted password for it and have configured XTAM to recognize and use this certificate.

This configuration will allow the use of XTAM without the Federated Sign-In module.

In order to also use the Federated Sign-In module, then please continue to the next section.

I already have a self-signed certificate encoded in JKS format that I would like to use.