- A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own by following the processes in this KB.
This KB includes:
- Generate a Public Certificate/Private Key Pair Using OpenSSL
- Generate a TLS/SSL Certificate Using a Windows® -based OpenSSL Binary
JumpCloud SSO SAML connectors support SHA1 and SHA256 certificates. We recommend using SHA256 for security purposes if the Service Provider supports it. To create a public certificate and private key pair, use the proceeding commands. They work in Linux® and Mac® terminals.
openssl genrsa -out private.pem 2048 openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095
An example of the expected output:
# openssl genrsa -out private.pem 2048 Generating RSA private key, 2048 bit long modulus ..................+++ .+++ e is 65537 (0x10001) # openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address :
To Determine the Sha256 Fingerprint for the Public Certificate
openssl x509 -sha256 -in cert.pem -noout -fingerprint
To Determine the Sha1 Fingerprint for the Public Certificate
openssl x509 -sha1 -in cert.pem -noout -fingerprint SHA1 Fingerprint=1A:29:04:1E:75:C2:5B:DF:FA:6D:CE:4F:6A:6E:66:C9:9E:0D:2E:76
- The following process works with Windows version 7 and later.
- A TLS/SSL certificate is required to configure SSO for the Office 365™ SAML application.
- The commands included in this KB create a certificate that expires in 1095 days. A new pair needs to be generated prior to expiration to prevent loss of access to the Service Provider application.
To Generate a TLS/SSL Certificate:
- Go to https://indy.fulgan.com/SSL/. See Binaries for more.
- Extract the binary zip file to a convenient folder.
- Download the openssl.cnf template file here.
- Place the openssl.cnf file in the same folder as the extracted binary file.
- Right-click the OpenSSL application in the folder, and run as Administrator. Windows Defender may ask you to confirm that you would like to run this application. If this happens, click More Info and Run Anyway. A Windows command window with the OpenSSL> command prompt appears.
- From the OpenSSL> command prompt, run the following commands to generate a new private key and public certificate.
OpenSSL> genrsa -out myprivatekey.pem 2048 OpenSSL> req -new -x509 -key myprivatekey.pem -out mypublic_cert.pem -days 3650 -config .\openssl.cnf
A form similar to the following text appears near the end of the process. Fill it out to finish generating your TLS/SSL certificate:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [My Company]: Organizational Unit Name (department, division) : Email Address : Locality Name (city, district) [My Town]: State or Province Name (full name) [State or Providence]: Country Name (2 letter code) [US]: Common Name (hostname, IP, or your name) :