Cool Solutions

Generating a Self-Signed Certificate for HTTPS Keystore and API Keystore in Keyshield SSO Server



March 3, 2015 11:40 am





This article presents simple steps how to generate a self-signed certificate from Keyshield SSO server.

In the KeyShield SSO server configuration page you have to provide the HTTPS keystore and API keystore file in PKCS #12 format in order to use the Https port for the keyshield Server. The following steps will tell you how to generate a PKCS #12 file from your Linux machine on which KeyShield SSO server will be installed.

Step 1: Login to your Linux as admin where KeyShield SSO Server is installed, using any SSH Client. Ex: MobaXterm, Putty, mRemoteNG etc. Then type yast2 command in the console window which will open a GUI window.

(Note: If Yast is not installed on the Linux server will already be there in Filr no need to download.)

Figure-1.0 Entering yast2 GUI

Figure-1.0 Entering yast2 GUI

Step 2: Once you enter the starter yast2 control center screen select the “Security and Users” and “CAManagement” from various options available. Double click on the CAManagement option to enter the CA.



  • Click on Create Root CA and enter
  • Figure-1.2


    Step 3: Enter the basic data for the CA in the dialog, as shown below.



    CA Name
    Enter the technical name of the CA (Certificate Authority). Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.

    Common Name
    Enter the name for use in referring to the CA.

    E-Mail Addresses
    Several e-mail addresses can be entered that can be seen by the CA user. This can be helpful for inquiries.

    Select the country where the CA is operated.

    Organization, Organizational Unit, Locality, State
    These are the Optional values.

    Then proceed with “Next”.

    Step 4: Enter the required Password for CA. This password is always required when using the CA, when creating a sub-CA or generating certificates.



    Key Length
    Key Length contains a meaningful default and does not generally need to be changed unless an application cannot deal with this key length. The higher the number the more secure your password is.

    Valid Period (days)
    The Valid Period in the case of a CA defaults to 3650 days (roughly ten years). This long period makes sense because the replacement of a deleted CA involves an enormous administrative effort.

    • Clicking Advanced Options opens a dialog for setting different attributes from the X.509 extensions (as shown in figure below). These values have rational default settings and should only be changed if you are really sure of what you are doing. Proceed with Next.


    • Review the summary. YaST2 displays the current settings for confirmation. Click Create. The root CA is created then appears in the overview


    Step 5: Click on “Enter CA” on the selected root CA.



    Enter the password if you are entering a CA for the first time. YaST displays the CA key information in the tab Description



    Click “Advanced” and select “Export to File” this opens a window listing the available export formats to choose from.

    Select PKCS12 format from the list of options and select a filename for the certificate and then click on OK.



    • Now export this PKCS12 format file to your KeyShield Server configuration page and add the file in the HTTPS keystore and also API keystore fields along with the password.

      As shown in pic below.

    Figure-2.0 (Keyshield - General Web Interface or API Configuration)

    Figure-2.0 (Keyshield – General Web Interface or API Configuration)

    1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
    You need to be a registered member to rate this post.

    Tags: , , ,
    Categories: Filr, Open Enterprise Server, Technical


    Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.