...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
For secure communication between Smart ID Identity Manager service providers and the identity provider, such as Smart ID Digital Access component, SSL and SAML certificates are needed.
This article describes how to create demo certificates or extract certificates for the following use cases:
Panel |
---|
Excerpt |
---|
SSL server certificates for https communication: - For Identity Manager, SSL server certificate in PKCS#12 format.
- For Digital Access as identity provider, SSL server certificate and private key as PKCS#8 PEM files.
- Example: Certificate: da.pem, Private Key: da.key.pem
SAML certificates for signing and encryption: - For Identity Manager, SAML certificate in PKCS#12 format.
Example: idm.saml.p12 - For Digital Access as identity provider, SAML certificate and private key as PKCS#8 PEM files.
Example:Certificate: da.saml.pem, Private Key: da.saml.key.pem
|
|
For more information on how to set up SAML, see Enable two-factor authentication to Identity Manager clients via SAML federation.
SSL server certificates
For https communication, SSL server certificates are needed for Identity Manager and the identity provider. Follow the steps if you need to create (for demo use cases) or extract keys and certificates you got from a trusted PKI.
SSL server certificate for identity provider
Expand |
---|
title | Create SSL server certificates for identity provider |
---|
|
For demo use cases, it is sufficient to create a self-signed certificate including private keys. Note |
---|
Skip these steps if a real certificate exists. |
Example - Create self-signed certificate for Digital Access: Use the java keytool command to create a self-signed certificate including private keys: Code Block |
---|
language | text |
---|
title | Example: java keytool command |
---|
| keytool -genkey -keyalg RSA -alias selfsigned -keystore da.jks -storepass <password> -validity 1080 -keysize 2048 |
To use the server certificate with Digital Access, a key and certificate are required. Use the created jks container to transform to p12: Code Block |
---|
language | text |
---|
title | Example: Transform to P12 |
---|
| keytool -importkeystore -srckeystore da.jks -destkeystore da.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass <password> -destkeypass <password> |
|
Expand |
---|
title | Extract SSL server certificates for identity provider |
---|
|
Some identity providers, such as Digital Access, require the certificate and key in a separate file. Use the following commands if you want to extract them from the .p12 container. Example - Extract certificate for Digital Access: Use the p12 to extract the certificate: Code Block |
---|
language | text |
---|
title | Example: Extract certificate |
---|
| openssl pkcs12 -in da.p12 -nokeys -out da.pem |
Use the p12 to extract the key: Code Block |
---|
language | text |
---|
title | Example: Extract key |
---|
| openssl pkcs12 -in da.p12 -nodes -nocerts -out key.pem |
|
SSL server certificate for Identity Manager
Expand |
---|
title | Create SSL server certificates for Identity Manager |
---|
|
For demo use cases, it is sufficient to create a self-signed certificate including private keys. Note |
---|
Skip these steps if a real certificate exists. |
Use the java keytool command to create a java keystore (idm.jks ) containing a key-pair with a corresponding self-signed certificate:
Code Block |
---|
title | Example: Create self-signed certificate for PRIME |
---|
| keytool -genkey -keyalg RSA -alias selfsigned -keystore idm.jks -storepass <password> -validity 1080 -keysize 2048 |
Use the created jks container to transform to p12: Code Block |
---|
language | text |
---|
title | Example: Transform to P12 |
---|
| keytool -importkeystore -srckeystore idm.jks -destkeystore idm.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass <password> -destkeypass <password> |
|
SAML certificates
For SAML, certificates for signing and encryption are needed for each service provider and for the identity provider. Follow the steps if you need to create (for demo use cases) or extract keys and certificates you got from a trusted PKI.
SAML certificate for identity provider
Expand |
---|
title | Create SAML certificates for identity provider |
---|
|
For SAML, the identity provider needs a certificate for signing and encryption. For demo use cases, it is sufficient to create a self-signed certificate including private keys. Note |
---|
Skip these steps if a real certificate exists. |
Example - Create SAML certificate for Digital Access: Use the java keytool command to create a self-signed certificate including private keys: Code Block |
---|
language | text |
---|
title | Example: java keytool command |
---|
| keytool -genkey -keyalg RSA -alias selfsigned -keystore da.saml.jks -storepass <password> -validity 1080 -keysize 2048 |
To use the SAML certificate with Digital Access, a key and certificate are required. Use the created jks container to transform to p12: Code Block |
---|
language | text |
---|
title | Example: Transform to P12 |
---|
| keytool -importkeystore -srckeystore da.saml.jks -destkeystore da.saml.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass <password> -destkeypass <password> |
|
Expand |
---|
title | Extract SAML certificates for identity provider |
---|
|
Some identity providers, such as Digital Access, require the certificate and key in a separate file. Use the following commands if you want to extract them from the .p12 container. Example - Extract SAML certificate for Digital Access: Use the p12 to extract the certificate: Code Block |
---|
language | text |
---|
title | Example: Extract certificate |
---|
| openssl pkcs12 -in da.saml.p12 -nokeys -out da.saml.pem |
Use the p12 to extract the key: Code Block |
---|
language | text |
---|
title | Example: Extract key |
---|
| openssl pkcs12 -in da.saml.p12 -nodes -nocerts -out da.saml.key.pem |
|
SAML certificates for service providers
Expand |
---|
title | Create SAML certificates for Identity Manager |
---|
|
For SAML, each service provider (tfor example, Identity Manager and Smart ID Self-Service) needs a certificate for signing and encryption. For demo use cases, it is sufficient to create self-signed certificates including private keys. Note |
---|
Skip these steps if real certificates exist. |
To create a certificate for Identity Manager: Use the java keytool command to create a key store with a new private key entry: Code Block |
---|
language | text |
---|
title | Example: java keytool command |
---|
| keytool -genkeypair -alias sp -keypass <password> -keystore samlKeystore.jks |
In this example, sp is used as alias for keys and certificate of the Identity Manager SAML certificate. Transform the proprietary jks keystore to a .p12 file:
Code Block |
---|
language | text |
---|
title | Example: Transform to PKCS#12 |
---|
| keytool -importkeystore -srckeystore samlKeystore.jks -destkeystore samlKeystore.p12 -deststoretype PKCS12 -srcalias sp
-deststorepass <password> -destkeypass <password> |
|
...
Related information
...