How to create an Embedded Certificate with OpenSSL

This guide explains how to generate a X.509 certificate that meets the certificate requirements for the SWITCHaai federation to be embedded in SAML metadata.

To custom-tailor the instructions provide the hostname part of the Service Provider's entityID for which to generate the certificate:

Fully Qualified Domain Name

Key File Name

Certificate File Name

OpenSSL configuration file (customized)

On a host where OpenSSL is installed, perform the following steps:

  1. Create an OpenSSL configuration file sp-cert.cnf with the following content:
    [req]
    RANDFILE=/dev/urandom
    default_bits=3072
    default_md=sha256
    encrypt_key=no
    distinguished_name=dn
    # PrintableStrings only
    string_mask=MASK:0002
    prompt=no
    x509_extensions=ext
    
    # customize the "default_keyfile,", "CN" and "subjectAltName" lines below
    default_keyfile=sp-key.pem
    
    [dn]
    CN=sp.example.org
    
    [ext]
    subjectAltName = DNS:sp.example.org
    subjectKeyIdentifier=hash
    
  2. Run the following command to create a new key pair with a self-signed certificate valid 10 years (3700 days):
    $ openssl req -new -x509 -config sp-cert.cnf -out sp-cert.pem -days 3700
    You may reuse an existing key pair and only generate a new self-signed certificate with this command:
    $ openssl req -new -x509 -config sp-cert.cnf -key sp-key.pem -out sp-cert.pem -days 3700
  3. Configure your SAML Service Provider to use this key pair sp-key.pem and sp-cert.pem to decrypt SAML assertions and sign SAML requests.

Certificate

The generated certificate should look like below if dumped with the command:

$ openssl x509 -in sp-cert.pem -nameopt show_type,sep_comma_plus_space -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:49:f1:2e:3b:75:85:51
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=PRINTABLESTRING:sp.example.org
        Validity
            Not Before: Mar 30 08:05:33 2021 GMT
            Not After : May 17 08:05:33 2031 GMT
        Subject: CN=PRINTABLESTRING:sp.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:96:b7:88:d3:52:8c:25:41:79:5c:60:98:05:98:
                    81:13:38:74:f8:df:46:04:e9:ca:e0:15:99:c5:80:
                    8b:76:e9:e2:d8:e7:05:a7:5d:3a:e7:6a:27:2c:23:
                    37:3c:a9:a5:27:36:27:13:f1:1d:e0:d5:6a:c0:1b:
                    83:9d:11:19:77:03:e2:87:b4:41:4b:93:a0:b4:36:
                    0b:1f:79:64:f4:74:17:b9:8a:e3:ef:c4:b9:77:2d:
                    2f:a9:43:e3:79:d9:d1:cd:b8:37:9f:dd:cf:a4:50:
                    55:90:e6:f3:42:7c:b1:51:df:ce:e3:00:7f:d9:c9:
                    ba:19:43:b0:8b:84:b1:d7:38:a3:d8:3a:32:f5:8b:
                    cc:56:01:59:2e:c4:1d:5c:2e:b2:d7:08:9d:27:a8:
                    73:64:69:bb:88:21:d0:d5:3f:3e:fe:71:14:ee:e5:
                    df:13:a0:c2:f6:d2:34:46:25:55:d4:ff:d9:5a:32:
                    2c:8d:30:76:5e:b4:d4:e4:3c:0d:6b:2b:3a:c5:1c:
                    73:f0:a9:2d:ef:1e:17:11:69:74:ef:04:ee:c5:3c:
                    79:c6:c3:f3:74:47:fb:c6:a4:b2:fd:ae:5b:36:8f:
                    12:54:05:3d:13:e9:ed:74:d7:4e:c0:ab:82:20:0e:
                    55:ba:55:4c:32:e1:c3:6a:73:80:44:5c:df:cf:b9:
                    e7:fd:17:99:65:14:80:81:0c:8b:44:81:56:91:34:
                    4e:66:a4:e8:da:72:27:a7:9e:22:0c:24:e4:84:4c:
                    3c:10:20:6c:dc:1c:b8:32:c3:3a:9a:58:33:dc:4a:
                    ae:be:25:4f:6b:5b:39:0b:9d:70:96:b7:35:a5:fd:
                    27:1c:2e:4b:93:14:1a:96:12:3b:89:9d:c6:63:b1:
                    d3:54:cd:4d:16:f2:3e:45:e4:4b:1a:46:ea:dd:07:
                    d1:87:51:b6:40:c8:44:73:d1:ca:91:29:8d:54:3a:
                    62:a3:6a:72:18:aa:ba:f5:61:85:3b:b8:51:9e:5e:
                    fd:34:e1:a7:b3:97:98:9f:42:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:sp.example.org
            X509v3 Subject Key Identifier: 
                92:00:04:2B:63:03:B4:AE:E5:32:5D:8C:0D:D9:21:18:73:2C:DD:C7
    Signature Algorithm: sha256WithRSAEncryption
         70:bf:89:7e:cf:f3:a3:45:39:1a:95:92:00:0d:7a:23:6f:96:
         94:7d:e2:09:f4:ec:5b:af:23:6b:fc:e5:91:b4:f1:f4:02:b0:
         9c:48:0f:51:50:09:f3:41:c3:49:31:59:3d:17:f7:26:9b:b0:
         ee:e4:df:d5:d4:94:ae:3b:bd:5e:47:84:a9:b2:dd:1b:59:ab:
         79:59:af:8f:80:98:aa:c4:66:7d:5f:02:e3:ab:59:c7:91:aa:
         57:64:8c:1f:f1:dd:e5:59:3a:97:75:0b:b3:dd:b9:13:80:6d:
         15:48:ce:3d:a0:a6:64:18:cb:0d:7b:a7:5d:1a:83:cb:db:cf:
         4e:6c:39:5d:27:5d:17:0e:1f:e7:a1:46:13:a4:d7:88:48:79:
         85:65:79:af:7e:55:a4:11:8d:8d:25:df:e9:a7:34:d0:de:b3:
         5e:eb:3c:a5:ca:00:31:6e:97:4a:a3:ef:8e:29:39:ad:aa:f8:
         30:80:ed:09:bf:65:c9:80:4f:c1:10:1a:4f:b8:07:a0:83:1e:
         db:b6:c8:ea:14:9a:fd:d4:15:2c:8a:7a:47:fd:20:1a:97:ce:
         3e:d5:19:13:b4:47:55:fd:98:49:d4:a3:a8:5a:aa:e4:c6:c7:
         9b:7c:b0:19:1f:d1:ad:b2:24:25:85:46:d3:de:19:f0:6e:03:
         52:23:3d:11:c0:11:99:aa:d5:af:ad:83:66:2e:9b:e5:98:32:
         d7:48:c8:db:be:f4:87:b8:f4:4c:fa:36:da:05:dc:c6:6c:85:
         5b:43:b2:44:54:0e:74:dd:b2:04:a7:3e:58:66:74:d4:49:a4:
         5a:bb:1f:9f:50:9a:86:2b:29:7e:4a:69:31:b6:7a:0a:cf:91:
         08:62:ce:e2:34:ab:d2:36:85:c7:ae:42:ab:25:5c:8e:51:48:
         5a:a1:1c:92:90:71:71:60:b1:c7:f4:76:0a:99:cb:9b:45:4f:
         ed:94:31:25:8a:79:30:3e:81:f4:44:03:bb:bb:c8:74:a4:b7:
         2a:81:48:10:89:98
-----BEGIN CERTIFICATE-----
MIID9zCCAl+gAwIBAgIJAJlJ8S47dYVRMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEHRlc3QuZXhhbXBsZS5vcmcwHhcNMjEwMzMwMDgwNTMzWhcNMzEwNTE3MDgw
NTMzWjAbMRkwFwYDVQQDExB0ZXN0LmV4YW1wbGUub3JnMIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEAlreI01KMJUF5XGCYBZiBEzh0+N9GBOnK4BWZxYCL
duni2OcFp10652onLCM3PKmlJzYnE/Ed4NVqwBuDnREZdwPih7RBS5OgtDYLH3lk
9HQXuYrj78S5dy0vqUPjednRzbg3n93PpFBVkObzQnyxUd/O4wB/2cm6GUOwi4Sx
1zij2Doy9YvMVgFZLsQdXC6y1widJ6hzZGm7iCHQ1T8+/nEU7uXfE6DC9tI0RiVV
1P/ZWjIsjTB2XrTU5DwNays6xRxz8Kkt7x4XEWl07wTuxTx5xsPzdEf7xqSy/a5b
No8SVAU9E+ntdNdOwKuCIA5VulVMMuHDanOARFzfz7nn/ReZZRSAgQyLRIFWkTRO
ZqTo2nInp54iDCTkhEw8ECBs3By4MsM6mlgz3EquviVPa1s5C51wlrc1pf0nHC5L
kxQalhI7iZ3GY7HTVM1NFvI+ReRLGkbq3QfRh1G2QMhEc9HKkSmNVDpio2pyGKq6
9WGFO7hRnl79NOGns5eYn0K/AgMBAAGjPjA8MBsGA1UdEQQUMBKCEHRlc3QuZXhh
bXBsZS5vcmcwHQYDVR0OBBYEFJIABCtjA7Su5TJdjA3ZIRhzLN3HMA0GCSqGSIb3
DQEBCwUAA4IBgQBwv4l+z/OjRTkalZIADXojb5aUfeIJ9OxbryNr/OWRtPH0ArCc
SA9RUAnzQcNJMVk9F/cmm7Du5N/V1JSuO71eR4Spst0bWat5Wa+PgJiqxGZ9XwLj
q1nHkapXZIwf8d3lWTqXdQuz3bkTgG0VSM49oKZkGMsNe6ddGoPL289ObDldJ10X
Dh/noUYTpNeISHmFZXmvflWkEY2NJd/ppzTQ3rNe6zylygAxbpdKo++OKTmtqvgw
gO0Jv2XJgE/BEBpPuAeggx7btsjqFJr91BUsinpH/SAal84+1RkTtEdV/ZhJ1KOo
WqrkxsebfLAZH9GtsiQlhUbT3hnwbgNSIz0RwBGZqtWvrYNmLpvlmDLXSMjbvvSH
uPRM+jbaBdzGbIVbQ7JEVA503bIEpz5YZnTUSaRaux+fUJqGKyl+SmkxtnoKz5EI
Ys7iNKvSNoXHrkKrJVyOUUhaoRySkHFxYLHH9HYKmcubRU/tlDElinkwPoH0RAO7
u8h0pLcqgUgQiZg=
-----END CERTIFICATE-----

Display the SHA1 fingerprint of a certificate with this command

$ openssl x509 -noout -fingerprint -sha1 -in sp-cert.pem

SHA1 Fingerprint=08:31:F3:5C:5A:44:95:09:BB:55:20:2D:B2:0D:B1:C4:9E:D8:4D:50