12

I am creating an SSO "proof of concept" using SAML2 and ADFS2 (IdP). Log In is working fine, however ADFS2 is requiring that my Logout request be signed (with a private key) and then I would imagine that I would then add that very same certificate (.cer file) under the Signature tab within my Relying Party Trusts in ADFS2. The only problem is that I don't have a certificate for my app (service provider). I understand that I can create a self-signed cert for this purpose but I can't seem to figure out how to create one with everything I need.

Brian David Berman
  • 7,514
  • 26
  • 77
  • 144

2 Answers2

25

In order to generate a self-signed cert you need openssl library so:

Debian: apt-get install openssl

Centos/RedHat: yum install openssl

Then follow this 3 steps:

  • Generate private key:

    openssl genrsa -out server.pem 2048

  • Generate CSR: (In the "Common Name" set the domain of your service provider app)

    openssl req -new -key server.pem -out server.csr

  • Generate Self Signed Cert

    openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

At the end of the process you will get server.csr (certificate signing request), server.pem (private key) and server.crt (self signed cert)

In windows you can use makecert.exe

Anthony
  • 2,014
  • 2
  • 19
  • 29
smartin
  • 2,957
  • 2
  • 23
  • 33
  • It seems that ADFS is requiring a .cer, .sst or .p7b file. Are either of those possible with your solution? – Brian David Berman Jan 22 '13 at 17:56
  • You can use x509 cert for "Token-signing certificate" in ADFS 2.0: http://technet.microsoft.com/en-us/library/dd807040%28v=WS.10%29.aspx The .pb7 is a cert file of the type application/x-pkcs7-certificates To convert from the actual format (PEM or DER) to the pkcs7 format, you can execute: openssl crl2pkcs7 -nocrl -certfile server.crt -out server.p7b .The .sst files are in format application/vnd.ms-pki.certstore Don't know how convert it with openssl – smartin Jan 22 '13 at 18:52
  • 1
    .crt and .pem are extension that I used. You can rename them: server.pem to server-private-key.cer server.crt to server-self-signed-cert.cer – smartin Jan 22 '13 at 19:00
  • You can also use this online tool: https://www.samltool.com/self_signed_certs.php – smartin Mar 26 '15 at 17:47
  • You can use `openssl req -new -x509 -key privateKey.pem -out cert.cer -days 365` to create a .cer format file from private key. – tony.0919 Jun 01 '15 at 08:47
  • Is also important when generating the pivate key to do it to a robust alg, for example use the -sha512 option – smartin May 21 '18 at 10:50
3

I used the SelfSSL tool for Windows when putting together an ADFS proof of concept. Specifically, this guy has an enhanced version for IIS7.

A sample command:

selfssl7.exe /N cn=www.example.com /K 2048 /V 3652 /X /F C:\example.pfx /W foo

Generates "example.pfx" file with a 2048-bit key, valid for ~10 years, with password "foo" protecting the private key, with common name "www.example.com". You can import this to your local machine's certificate store and then export it as a .cer file with or without the private key info as desired.

Sean Hanley
  • 5,677
  • 7
  • 42
  • 53
  • @Sean - And this cert will be able to be used as a way to sign (private key) a Single Log Out request (for example) sent over to ADFS in which ADFS uses the public key to verify? Thanks so much. – Brian David Berman Jan 23 '13 at 21:25
  • Sean - When I go to export with private key, I don't get .cer as an option, only .pfx. Is that normal? – Brian David Berman Jan 28 '13 at 01:36
  • 1
    @Brian Yes, that's normal. CER format cannot carry additional data like the private key. I believe PFX is more like a container format for lots of different kinds of security data, so it can handle bundling a certificate and key together. – Sean Hanley Feb 04 '13 at 18:31