This article presents simple steps how to generate a self-signed certificate from Keyshield SSO server.
In the KeyShield SSO server configuration page you have to provide the HTTPS keystore and API keystore file in PKCS #12 format in order to use the Https port for the keyshield Server. The following steps will tell you how to generate a PKCS #12 file from your Linux machine on which KeyShield SSO server will be installed.
Step 1: Login to your Linux as admin where KeyShield SSO Server is installed, using any SSH Client. Ex: MobaXterm, Putty, mRemoteNG etc. Then type yast2 command in the console window which will open a GUI window.
(Note: If Yast is not installed on the Linux server will already be there in Filr no need to download.)
Step 2: Once you enter the starter yast2 control center screen select the “Security and Users” and “CAManagement” from various options available. Double click on the CAManagement option to enter the CA.
Step 3: Enter the basic data for the CA in the dialog, as shown below.
Enter the technical name of the CA (Certificate Authority). Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.
Enter the name for use in referring to the CA.
Several e-mail addresses can be entered that can be seen by the CA user. This can be helpful for inquiries.
Select the country where the CA is operated.
Organization, Organizational Unit, Locality, State
These are the Optional values.
Then proceed with “Next”.
Step 4: Enter the required Password for CA. This password is always required when using the CA, when creating a sub-CA or generating certificates.
Key Length contains a meaningful default and does not generally need to be changed unless an application cannot deal with this key length. The higher the number the more secure your password is.
Valid Period (days)
The Valid Period in the case of a CA defaults to 3650 days (roughly ten years). This long period makes sense because the replacement of a deleted CA involves an enormous administrative effort.
- Clicking Advanced Options opens a dialog for setting different attributes from the X.509 extensions (as shown in figure below). These values have rational default settings and should only be changed if you are really sure of what you are doing. Proceed with Next.
- Review the summary. YaST2 displays the current settings for confirmation. Click Create. The root CA is created then appears in the overview
Step 5: Click on “Enter CA” on the selected root CA.
Enter the password if you are entering a CA for the first time. YaST displays the CA key information in the tab Description
Click “Advanced” and select “Export to File” this opens a window listing the available export formats to choose from.
Select PKCS12 format from the list of options and select a filename for the certificate and then click on OK.
- Now export this PKCS12 format file to your KeyShield Server configuration page and add the file in the HTTPS keystore and also API keystore fields along with the password.
As shown in pic below.