Generating a Self-Signed Certificate for HTTPS Keystore and API Keystore in Keyshield SSO Server

Generating a Self-Signed Certificate for HTTPS Keystore and API Keystore in Keyshield SSO Server

This article presents simple steps how to generate a self-signed certificate from Keyshield SSO server.

In the KeyShield SSO server configuration page you have to provide the HTTPS keystore and API keystore file in PKCS #12 format in order to use the Https port for the keyshield Server. The following steps will tell you how to generate a PKCS #12 file from your Linux machine on which KeyShield SSO server will be installed.

Step 1: Login to your Linux as admin where KeyShield SSO Server is installed, using any SSH Client. Ex: MobaXterm, Putty, mRemoteNG etc. Then type yast2 command in the console window which will open a GUI window.

(Note: If Yast is not installed on the Linux server will already be there in Filr no need to download.)

Figure-1.0 Entering yast2 GUI Figure-1.0 Entering yast2 GUI

Step 2: Once you enter the starter yast2 control center screen select the "Security and Users" and "CAManagement" from various options available. Double click on the CAManagement option to enter the CA.

Figure-1.1 Figure-1.1

  • Click on Create Root CA and enter

  • Figure-1.2 Figure-1.2

    Step 3: Enter the basic data for the CA in the dialog, as shown below.

    Figure-1.3 Figure-1.3

    CA Name
    Enter the technical name of the CA (Certificate Authority). Directory names, among other things, are derived from this name, which is why only the characters listed in the help can be used. The technical name is also displayed in the overview when the module is started.

    Common Name
    Enter the name for use in referring to the CA.

    E-Mail Addresses
    Several e-mail addresses can be entered that can be seen by the CA user. This can be helpful for inquiries.

    Select the country where the CA is operated.

    Organization, Organizational Unit, Locality, State
    These are the Optional values.

    Then proceed with "Next".

    Step 4: Enter the required Password for CA. This password is always required when using the CA, when creating a sub-CA or generating certificates.

    Figure-1.4 Figure-1.4

    Key Length
    Key Length contains a meaningful default and does not generally need to be changed unless an application cannot deal with this key length. The higher the number the more secure your password is.

    Valid Period (days)
    The Valid Period in the case of a CA defaults to 3650 days (roughly ten years). This long period makes sense because the replacement of a deleted CA involves an enormous administrative effort.

    • Clicking Advanced Options opens a dialog for setting different attributes from the X.509 extensions (as shown in figure below). These values have rational default settings and should only be changed if you are really sure of what you are doing. Proceed with Next.

    Figure-1.5 Figure-1.5

    • Review the summary. YaST2 displays the current settings for confirmation. Click Create. The root CA is created then appears in the overview

    Figure-1.6 Figure-1.6

    Step 5: Click on "Enter CA" on the selected root CA.

    Figure-1.7 Figure-1.7

    Enter the password if you are entering a CA for the first time. YaST displays the CA key information in the tab Description

    Figure-1.8 Figure-1.8

    Click "Advanced" and select "Export to File" this opens a window listing the available export formats to choose from.

    Select PKCS12 format from the list of options and select a filename for the certificate and then click on OK.

    Figure-1.9 Figure-1.9

    • Now export this PKCS12 format file to your KeyShield Server configuration page and add the file in the HTTPS keystore and also API keystore fields along with the password.

      As shown in pic below.

    Figure-2.0 (Keyshield - General Web Interface or API Configuration) Figure-2.0 (Keyshield - General Web Interface or API Configuration)



    Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
    Top Contributors
    Version history
    Revision #:
    1 of 1
    Last update:
    ‎2015-03-03 19:40
    Updated by:
    The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.