Versions Compared

Old Version 1

changes.mady.by.user Karolin Hemmingsson (Unlicensed)

Saved on

compared with

New Version 2

changes.mady.by.user Karolin Hemmingsson (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated to Smart ID names

For secure communication between Smart ID Identity Manager (PRIME) service providers and the identity provider, such as Smart ID Digital Access component (Hybrid Access Gateway), SSL and SAML certificates are needed. 

This article describes how to create demo certificates or extract certificates for the following use cases: 

Panel


Excerpt

SSL server certificates for https communication:

  • For PRIMEIdentity ManagerSSL server certificate in PKCS#12 format. 
    • Exampleprime.local.p12
  • For Hybrid Digital Access Gateway as identity provider, SSL server certificate and private key as PKCS#8 PEM files. 
    • Example: Certificate: hag.local.pemPrivate Key: hag.local.key.pem

SAML certificates for signing and encryption:

  • For PRIMEIdentity Manager, SAML certificate in PKCS#12 format. 
    Example: prime.saml.p12
  • For Hybrid Digital Access Gateway as identity provider, SAML certificate and private key as PKCS#8 PEM files.
    Example:Certificate: hag.saml.pemPrivate Key: hag.saml.key.pem 


For more information on how to set up SAML, see Enable two-factor authentication to Identity Manager clients via SAML federation


SSL server certificates

For https communication, SSL server certificates are needed for PRIME Identity Manager and the identity provider. Follow the steps if you need to create (for demo use cases) or extract keys and certificates you got from a trusted PKI.

SSL server certificate for identity provider

Expand
titleCreate SSL server certificates for identity provider

For demo use cases, it is sufficient to create a self-signed certificate including private keys. 

Note

Skip these steps if a real certificate exists.

Example - Create self-signed certificate for Hybrid Digital Access Gateway:

  1. Use the java keytool command to create a self-signed certificate including private keys:

    Code Block
    languagetext
    titleExample: java keytool command
    keytool -genkey -keyalg RSA -alias selfsigned -keystore hag.local.jks -storepass <password> -validity 1080 -keysize 2048


  2. To use the server certificate with Hybrid Digital Access Gateway, a key and certificate are required. Use the created jks container to transform to p12:

    Code Block
    languagetext
    titleExample: Transform to P12
    keytool -importkeystore -srckeystore hag.local.jks -destkeystore hag.local.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass <password> -destkeypass <password>



Expand
titleExtract SSL server certificates for identity provider

Some identity providers, such as Hybrid Digital Access Gateway, require the certificate and key in a separate file. Use the following commands if you want to extract them from the .p12 container.

Example - Extract certificate for Hybrid Digital Access Gateway:

  1. Use the p12 to extract the certificate:

    Code Block
    languagetext
    titleExample: Extract certificate
    openssl pkcs12 -in hag.local.p12 -nokeys -out hag.local.pem


  2. Use the p12 to extract the key:

    Code Block
    languagetext
    titleExample: Extract key
    openssl pkcs12 -in hag.local.p12 -nodes -nocerts -out key.pem


SSL server certificate for

PRIME

Identity Manager

Expand
titleCreate SSL server certificates for PRIMEIdentity Manager

For demo use cases, it is sufficient to create a self-signed certificate including private keys.  

Note

Skip these steps if a real certificate exists.

  1. Use the java keytool command to create a java keystore  (prime.local.jks) containing a key-pair with a corresponding self-signed certificate:

    Code Block
    titleExample: Create self-signed certificate for PRIME
    keytool -genkey -keyalg RSA -alias selfsigned -keystore prime.local.jks -storepass <password> -validity 1080 -keysize 2048


  2. Use the created jks container to transform to p12:

    Code Block
    languagetext
    titleExample: Transform to P12
    keytool -importkeystore -srckeystore prime.local.jks -destkeystore prime.local.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass <password> -destkeypass <password>


SAML certificates

For SAML, certificates for signing and encryption are needed for each service provider and for the identity provider. Follow the steps if you need to create (for demo use cases) or extract keys and certificates you got from a trusted PKI.

SAML certificate for identity provider

Expand
titleCreate SAML certificates for identity provider

For SAML, the identity provider needs a certificate for signing and encryption. 

For demo use cases, it is sufficient to create a self-signed certificate including private keys.

Note

Skip these steps if a real certificate exists.

Example - Create SAML certificate for Hybrid Digital Access Gateway:

  1. Use the java keytool command to create a self-signed certificate including private keys:

    Code Block
    languagetext
    titleExample: java keytool command
    keytool -genkey -keyalg RSA -alias selfsigned -keystore hag.saml.jks -storepass <password> -validity 1080 -keysize 2048


  2. To use the SAML certificate with Hybrid Digital Access Gateway, a key and certificate are required. Use the created jks container to transform to p12:

    Code Block
    languagetext
    titleExample: Transform to P12
    keytool -importkeystore -srckeystore hag.saml.jks -destkeystore hag.saml.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass <password> -destkeypass <password>



Expand
titleExtract SAML certificates for identity provider

Some identity providers, such as Hybrid Digital Access Gateway, require the certificate and key in a separate file. Use the following commands if you want to extract them from the .p12 container.

Example - Extract SAML certificate for Hybrid Digital Access Gateway:

  1. Use the p12 to extract the certificate:

    Code Block
    languagetext
    titleExample: Extract certificate
    openssl pkcs12 -in hag.saml.p12 -nokeys -out hag.saml.pem


  2. Use the p12 to extract the key:

    Code Block
    languagetext
    titleExample: Extract key
    openssl pkcs12 -in hag.saml.p12 -nodes -nocerts -out hag.saml.key.pem


SAML certificates for service providers 

Expand
titleCreate SAML certificates for PRIMEIdentity Manager

For SAML, each service provider (tfor example, PRIME Explorer and PRIME Identity Manager and Smart ID Self-Service) needs a certificate for signing and encryption.

For demo use cases, it is sufficient to create self-signed certificates including private keys. 

Note

Skip these steps if real certificates exist.

To create a certificate for PRIMEIdentity Manager:

  1. Use the java keytool command to create a key store with a new private key entry:

    Code Block
    languagetext
    titleExample: java keytool command
    keytool -genkeypair -alias sp -keypass <password> -keystore samlKeystore.jks

    In this example, sp is used as alias for keys and certificate of the PRIME Identity Manager SAML certificate.

  2. Transform the proprietary jks keystore to a .p12 file:

    Code Block
    languagetext
    titleExample: Transform to PKCS#12
    keytool -importkeystore -srckeystore samlKeystore.jks -destkeystore samlKeystore.p12 -deststoretype PKCS12 -srcalias sp 
-deststorepass <password> -destkeypass <password>



Related information