[Notification] We're upgrading the JumpCloud Support Center the week of September 16th.

Support Center

Generating Public Certificates and Private Keys

Prerequisites:

  • A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own by following the processes in this KB.

This KB includes:

Generate a Public Certificate/Private Key Pair Using OpenSSL

JumpCloud SSO SAML connectors support SHA1 and SHA256 certificates. We recommend using SHA256 for security purposes if the Service Provider supports it. To create a public certificate and private key pair, use the proceeding commands. They work in Linux® and Mac® terminals.

openssl genrsa -out private.pem 2048
openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095

  An example of the expected output:

# openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
..................+++
.+++
e is 65537 (0x10001)
# openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

To Determine the Sha256 Fingerprint for the Public Certificate

openssl x509 -sha256 -in cert.pem -noout -fingerprint

To Determine the Sha1 Fingerprint for the Public Certificate

openssl x509 -sha1 -in cert.pem -noout -fingerprint
SHA1 Fingerprint=1A:29:04:1E:75:C2:5B:DF:FA:6D:CE:4F:6A:6E:66:C9:9E:0D:2E:76 

Generate a TLS/SSL Certificate Using a Windows®-based OpenSSL Binary

Prerequisites:

  • The following process works with Windows version 7 and later. 
Notes:
  • A TLS/SSL certificate is required to configure SSO for the Office 365™ SAML application. 
  • The commands included in this KB create a certificate that expires in 1095 days. A new pair needs to be generated prior to expiration to prevent loss of access to the Service Provider application.

To Generate a TLS/SSL Certificate:

  1. Go to https://indy.fulgan.com/SSL/. See Binaries for more.
  2. Extract the binary zip file to a convenient folder. 
  3. Download the openssl.cnf template file here.  
  4. Place the openssl.cnf file in the same folder as the extracted binary file.
  5. Right-click the OpenSSL application in the folder, and run as Administrator. Windows Defender may ask you to confirm that you would like to run this application. If this happens, click More Info and Run Anyway.  A Windows command window with the OpenSSL> command prompt appears.
  6. From the OpenSSL> command prompt, run the following commands to generate a new private key and public certificate.
OpenSSL> genrsa -out myprivatekey.pem 2048

OpenSSL> req -new -x509 -key myprivatekey.pem -out mypublic_cert.pem -days 3650 -config .\openssl.cnf

A form similar to the following text appears near the end of the process. Fill it out to finish generating your TLS/SSL certificate: 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [My Company]:
Organizational Unit Name (department, division) []:
Email Address []:
Locality Name (city, district) [My Town]:
State or Province Name (full name) [State or Providence]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) []:
Attachments
 

Last Updated: Aug 19, 2019 02:23PM MDT

Related Articles
desk-forwarding@jumpcloud.com
http://assets1.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete