Manage SSL certificates using the API
For background on self-managed SSL certificates, learn more in Self-managed SSL certificates.
Certificate API endpoints
To use the certificate API, learn more in the following Advanced Identity Cloud API endpoints:
-
CSRs API endpoint
-
Certificates API endpoint
Authenticate to certificate API endpoints
To authenticate to certificate API endpoints, use an access token created with one of the following scopes:
Scope | Description |
---|---|
|
Full access to certificate API endpoints. Use this scope to create, activate, deactivate, or delete certificates. |
|
Read-only access to certificate API endpoints. Use this scope if you only need to List certificates. |
Prerequisites
You need the openssl and jq command-line tools to run some of the commands. You can find installation instructions for your particular package manager in https://command-not-found.com/openssl and https://command-not-found.com/jq.
Create a certificate using a tenant-generated private key
You can create certificates using a private key the tenant generates for you and which is retained in the tenant. The benefit of this approach is there is no risk of accidentally leaking your private key as it never leaves the tenant. However, with this approach, you can only install a signed certificate on the same tenant from which you requested the CSR.
Step 1: Create a CSR using the certificate API
In this step, you create a certificate signing request (CSR). You’ll need this in the next step to create a self-signed certificate or to send to your preferred SSL certificate provider to create a CA-signed certificate.
-
Create a JSON payload of CSR information:
-
Adapt the following example configuration to suit your company:
{ "commonName": "www.pingidentity.com", (1) "organization": "Ping Identity Corporation", (1) "organizationalUnit": "IT", (1) "country": "US", (1) "streetAddress": "1001 17th Street", (1) "city": "Denver", (1) "postalCode": "80202", (1) "email": "example.user@pingidentity.com", (1) "businessCategory": "Private Organization", (2) "serialNumber": "3463471", (2) "jurisdictionCountry": "US", (2) "jurisdictionLocality": "Wilmington", (2) "jurisdictionState": "Delaware", (2) "subjectAlternativeNames": ["support.pingidentity.com", "labs.pingidentity.com"] (3) }
1 Configures the standard CSR fields. All standard fields are included for demonstration, but this is not strictly necessary. Consult your SSL certificate provider’s documentation for the minimum required fields. Remove any fields that are not used rather than include them with an empty value. 2 (Optional) Configures the EV CSR fields. All EV fields are included for demonstration, but only businessCategory
,serialNumber
, andjurisdictionCountryName
are required.3 (Optional) Configures the subject alternative names (SANs). SANs are domains the certificate will secure in addition to the commonName
. Wildcards values in SAN domains are not permitted. -
Save your adapted configuration in a local file called
csr-payload.json
.
-
-
In the tenant environment where you intend to install the certificate:
-
Get an access token created with the
fr:idc:certificate:*
scope. -
Create a CSR using the
/environment/csrs
endpoint:$ curl \ --request POST 'https://<tenant-env-fqdn>/environment/csrs' \ (1) --header 'Authorization: Bearer <access-token>' \ (2) --header 'Content-Type: application/json' \ --data "$(< csr-payload.json)" \ (3) > tee csr-result.json (4)
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <access-token> with the access token. 3 The request body is populated with the output of csr-payload.json
.4 The response is stored in a local file called csr-result.json
.Show response
{ "algorithm": "SHA256-RSA", "createdDate": "2024-04-24T17:11:42Z", "id": "4f1caf97-bd2f-4d30-8e68-682fa10d27ff", (1) "request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDTTCCAjUCAQAwgbcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQHEwZEZW52ZXIxGTAX\nBgNVB ... MUREqk/\ndSPgWeMMVFQwlmljkE+cvGl9L3f7aPgXtR6nxPS/oTSl\n-----END CERTIFICATE REQUEST-----\n", "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ] }
1 The CSR ID is represented by the id
key. You need this ID in a later step to update the CSR with the signed certificate. In this example, the CSR ID is4f1caf97-bd2f-4d30-8e68-682fa10d27ff
. -
Extract the CSR from the
request
key of the JSON object incsr-result.json
:$ jq -r .request csr-result.json > csr.pem
-
Review the contents of the CSR in
csr.pem
:-
For an example of a CSR, learn more in PEM-formatted certificate examples.
-
To check the information in the CSR, learn more in Check a CSR.
-
-
Step 2: Generate a signed certificate and create a certificate chain
In this step, you create a CA-signed or self-signed certificate, then create a PEM-formatted certificate chain.
-
Create a certificate from the CSR in one of these ways:
-
CA-signed certificate:
Supply the CSR to your preferred SSL certificate provider so they can generate a CA-signed certificate. Your SSL certificate provider should provide you with a signed certificate and a CA certificate. They may also provide intermediary certificates. -
Self-signed certificate:
Use OpenSSL to create a custom CA certificate and a self-signed certificate.
-
-
Combine your signed certificate and CA certificate into a certificate chain and save it in the local file
chain.pem
. If you used an SSL certificate provider, add any intermediary certificates intochain.pem
too, inserted between your signed certificate and the CA certificate:$ cat cert.pem [inter.cert.pem ...] ca.cert.pem > chain.pem
The following is an example of what the certificate chain might look like:
-----BEGIN CERTIFICATE----- content of your signed certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- content of an optional intermediate CA certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- content of a CA certificate -----END CERTIFICATE-----
Step 3: Install the certificate
In this step, you install the certificate in the tenant environment where you created the CSR request.
-
Create a JSON payload of certificate information:
-
Add the certificate chain to a JSON object:
$ jq -Rs '{certificate: .}' ./chain.pem > payload.json
Summary of command:
-
Creates a JSON object using the
jq
command. Learn more in Prerequisites. -
Adds a
certificate
key to the JSON object set with the contents ofchain.pem
as a single line. -
Saves the JSON object in a local file called
payload.json
.
-
-
The contents of
payload.json
should look something like this:{ "certificate": "-----BEGIN CERTIFICATE-----\ncontent of your signed certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of an optional intermediate CA certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of your CA certificate\n-----END CERTIFICATE-----\n" }
-
-
In the tenant environment where you created the CSR request in step 1.2 and intend to install the certificate:
-
Get an access token created with the
fr:idc:certificate:*
scope. -
Upload the certificate using the
/environment/csrs
endpoint:$ curl \ --request PATCH 'https://<tenant-env-fqdn>/environment/csrs/<csr-id>' \(1) (2) --header 'Authorization: Bearer <access-token>' \(3) --header 'Content-Type: application/json' \ --data "$(< payload.json)" (4)
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <csr-id> with the CSR ID you noted in step 1, 2b. 3 Replace <access-token> with the access token. 4 The request body is populated with the output of payload.json
.Show response
{ "algorithm": "SHA256-RSA", "certificateID": "ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477", (1) "createdDate": "2024-05-03T12:49:29Z", "id": "11c5419e-c5de-466d-a7e7-d65afbde1217", "request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDozCCAosCAQAwgbcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQHEwZEZW52ZXIxGTAX\nBgNVB ... ABMyK1\nDVSVbrcuZMoxcnzZNynjGLe58iFS+ko=\n-----END CERTIFICATE REQUEST-----\n", "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ] }
1 The certificate ID is represented by the certificateID
key. You need this ID to activate, deactivate, or delete the certificate. In this example, the certificate ID isccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477
. -
Get the certificate information using the
/environment/certificates
endpoint:$ curl \ --request GET 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2) --header 'Authorization: Bearer <access-token>' \(3) --header 'Content-Type: application/json'
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <certificate-id> with the certificate ID you noted in the previous step. 3 Replace <access-token> with the access token. Show response
{ "active": false, (1) "expireTime": "2024-06-02T12:58:01Z", "id": "ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477", (2) "issuer": "CN=Self-signing CA", "live": false, (3) "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ], "validFromTime": "2024-05-03T12:58:01Z" }
1 The active
key is set tofalse
which indicates that the certificate is not active. This is the default value for a new certificate.2 The certificate ID is represented by the id
key. This is the same ID as in thecertificateID
key in the CSR response from the previous step.3 The live
key returns the valuefalse
, which indicates the certificate is not installed in the environment’s load balancer. In the next step, you will set theactive
key totrue
. This triggers an asynchronous process that installs the certificate in the environment’s load balancer. When the asynchronous process is complete, thelive
key returns the valuetrue
. -
Activate the certificate to install it in the environment’s load balancer.
-
Create a certificate using a locally generated private key
You can create certificates using a private key you generate locally and retain access to. The benefit of this approach is once you have signed the certificate, you can install it with the private key on as many tenants as you need. However, to use this approach, you must have robust security practices when handling the private key.
Step 1: Create a CSR using the command line
In this step, you create a certificate signing request (CSR). You’ll need this in the next step to create a self-signed certificate or to send to your preferred SSL certificate provider to create a CA-signed certificate.
-
Create an OpenSSL CSR configuration file:
-
Adapt the following example configuration to suit your company:
[ req ] (1) prompt = no (2) distinguished_name = req_distinguished_name req_extensions = req_ext (5) [ req_distinguished_name ] # Standard CSR fields (3) commonName = www.pingidentity.com organizationName = Ping Identity Corporation organizationalUnitName = IT countryName = US streetAddress = 1001 17th Street localityName = Denver stateOrProvinceName = Colorado postalCode = 80202 emailAddress = example.user@pingidentity.com # EV CSR fields (4) businessCategory = Private Organization serialNumber = 3463471 jurisdictionCountryName = US jurisdictionLocalityName = Wilmington jurisdictionStateOrProvinceName = Delaware [ req_ext ] (5) subjectAltName = @alt_names [alt_names] (5) DNS.1 = support.pingidentity.com DNS.2 = labs.pingidentity.com
1 Configures the openssl req
command.2 Configures the openssl req
command to use the CSR values supplied in this configuration file instead of prompting for them.3 Configures the standard CSR fields. All standard fields are included for demonstration, but this is not strictly necessary. Consult your SSL certificate provider’s documentation for the minimum required fields. Remove any fields that are not used rather than include them with an empty value. 4 (Optional) Configures the EV CSR fields. All EV fields are included for demonstration, but only businessCategory
,serialNumber
, andjurisdictionCountryName
are required.5 (Optional) Configures the subject alternative names (SANs). SANs are domains the certificate will secure in addition to the commonName
. Wildcard values in SAN domains are not permitted. -
Save your adapted configuration in a local file called
openssl-csr.conf
.
-
-
Create a CSR:
-
Generate a CSR and private key pair using the configuration in
openssl-csr.conf
:$ openssl req \ -nodes -newkey rsa:2048 \ -out csr.pem -keyout key.pem \ -config openssl-csr.conf
-
Review the CSR and private key, which are respectively in the local files
csr.pem
andkey.pem
:-
For examples of a CSR and private key, learn more in PEM-formatted certificate examples.
-
To check the information in the CSR, learn more in Check a CSR.
-
-
Step 2: Generate a signed certificate and create a certificate chain
In this step, you create a CA-signed or self-signed certificate, then create a PEM-formatted certificate chain.
-
Create a certificate from the CSR in one of these ways:
-
CA-signed certificate:
Supply the CSR to your preferred SSL certificate provider so they can generate a CA-signed certificate. Your SSL certificate provider should provide you with a signed certificate and a CA certificate. They may also provide intermediary certificates. -
Self-signed certificate:
Use OpenSSL to create a custom CA certificate and a self-signed certificate.
-
-
Combine your signed certificate and CA certificate into a certificate chain and save it in the local file
chain.pem
. If you used an SSL certificate provider, add any intermediary certificates intochain.pem
too, inserted between your signed certificate and the CA certificate:$ cat cert.pem [inter.cert.pem ...] ca.cert.pem > chain.pem
The following is an example of what the certificate chain might look like:
-----BEGIN CERTIFICATE----- content of your signed certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- content of an optional intermediate CA certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- content of a CA certificate -----END CERTIFICATE-----
Step 3: Install the certificate
In this step, you install the certificate and private key in your tenant environments.
-
Create a JSON payload of certificate information:
-
Add the certificate chain and private key to a JSON object:
$ (jq -Rs '{certificate: .}' ./chain.pem; jq -Rs '{privateKey: .}' ./key.pem) | jq -s add > payload.json
Summary of command:
-
Creates a JSON object using the
jq
command. Learn more in Prerequisites. -
Adds a
certificate
key to the JSON object set with the contents ofchain.pem
as a single line. -
Adds a
privateKey
key to the JSON object set with the contents ofkey.pem
as a single line. -
Saves the JSON object in a local file called
payload.json
.
-
-
The contents of
payload.json
should look something like this:{ "certificate": "-----BEGIN CERTIFICATE-----\ncontent of your signed certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of an optional intermediate CA certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of your CA certificate\n-----END CERTIFICATE-----\n", "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\ncontent of your private key\n-----END ENCRYPTED PRIVATE KEY-----\n" }
-
-
In each tenant environment where you want to install the certificate:
-
Get an access token created with the
fr:idc:certificate:*
scope. -
Upload the certificate using the
/environment/certificates
endpoint:$ curl \ --request POST 'https://<tenant-env-fqdn>/environment/certificates' \(1) --header 'Authorization: Bearer <access-token>' \(2) --header 'Content-Type: application/json' \ --data "$(< payload.json)" (3)
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <access-token> with the access token. 3 The request body is populated with the output of payload.json
.Show response
{ "active": false, (1) "expireTime": "2024-06-01T15:14:54Z", "id": "ccrt-134425bc-6203-48fe-bbef-b17792faf972", (2) "issuer": "CN=Self-signing CA", "live": false, (3) "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ], "validFromTime": "2024-05-02T15:14:54Z" }
1 The active
key is set tofalse
, which indicates the certificate is not active. This is the default value for a new certificate.2 The certificate ID is represented by the id
key. You need this ID to activate, deactivate, or delete the certificate. In this example, the certificate ID isccrt-134425bc-6203-48fe-bbef-b17792faf972
.3 The live
key returns the valuefalse
, which indicates the certificate is not installed in the environment’s load balancer. In the next step, you will set theactive
key totrue
. This triggers an asynchronous process that installs the certificate in the environment’s load balancer. When the asynchronous process is complete, thelive
key returns the valuetrue
. -
Activate the certificate to install it in the environment’s load balancer.
-
List certificates
List certificates to view all certificates in a tenant environment. Certificates can be active (installed in the environment’s load balancer) or inactive (not installed in the environment’s load balancer). The list includes any certificates Backstage Support added to the environment.
In any tenant environment
-
Get an access token created with the
fr:idc:certificate:read
scope. -
Get a list of certificates from the
/environment/certificates
endpoint:$ curl \ --request GET 'https://<tenant-env-fqdn>/environment/certificates' \(1) --header 'Authorization: Bearer <access-token>' \(2) --header 'Content-Type: application/json'
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <access-token> with the access token. Show response
[ { "active": false, "expireTime": "2024-06-01T15:14:54Z", "id": "ccrt-4ac300e5-7e0a-4d34-a42c-c41a076458da", "issuer": "CN=Self-signing CA", "live": false, "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ], "validFromTime": "2024-05-02T15:14:54Z" }, { "active": false, "expireTime": "2024-06-02T12:58:01Z", "id": "ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477", "issuer": "CN=Self-signing CA", "live": false, "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ], "validFromTime": "2024-05-03T12:58:01Z" } ]
Activate a certificate
Activate a certificate to install it in a tenant environment’s load balancer. If you activate more than one certificate at once, the environment’s load balancer will serve the most appropriate for the requested hostname. This lets you rotate certificates by installing and activating a new certificate before an older certificate expires.
In any tenant environment:
-
List the certificates in the environment and examine the response to find the ID of the certificate (represented as the JSON
id
key) you intend to activate. -
Get an access token created with the
fr:idc:certificate:*
scope. -
Update the certificate by patching the JSON
active
key totrue
:$ curl \ --request PATCH 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2) --header 'Authorization: Bearer <access-token>' \(3) --header 'Content-Type: application/json' \ --data '{"active": true}' (4)
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <certificate-id> with the certificate ID you found in step 1. 3 Replace <access-token> with the access token. 4 The request body is set with a new value for the JSON active
key (true
).Show response
{ "active": true, "expireTime": "2024-06-01T15:14:54Z", "id": "ccrt-134425bc-6203-48fe-bbef-b17792faf972", "issuer": "CN=Self-signing CA", "live": false, "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ], "validFromTime": "2024-05-02T15:14:54Z" }
-
An asynchronous process will automatically install the certificate in the environment’s load balancer. To check when the asynchronous process has completed, poll the
/environment/certificates
endpoint using the certificate ID until thelive
key in the response changes fromfalse
totrue
:$ curl \ --request POST 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2) --header 'Authorization: Bearer <access-token>' \(3) --header 'Content-Type: application/json'
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <certificate-id> with the ID of the certificate you updated. 3 Replace <access-token> with the access token. When the asynchronous process has completed and installed the certificate in the environment’s load balancer, the response should look like this:
Show response
{ "active": true, "expireTime": "2024-06-01T15:14:54Z", "id": "ccrt-134425bc-6203-48fe-bbef-b17792faf972", "issuer": "CN=Self-signing CA", "live": true, "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d", "subjectAlternativeNames": [ "support.pingidentity.com", "labs.pingidentity.com" ], "validFromTime": "2024-05-02T15:14:54Z" }
Deactivate a certificate
Deactivate a certificate to uninstall it from a tenant environment’s load balancer. If you deactivate all certificates in an environment, the load balancer will fall back to using a Google-managed certificate.
To deactivate a certificate, follow the instructions in Activate a certificate with the following changes:
-
In step 3, patch the JSON
active
key tofalse
. -
In step 4, poll the
/environment/certificates
endpoint until thelive
key in the response changes fromtrue
tofalse
.
Delete a certificate
Delete a certificate to permanently remove it from a tenant environment.
In any tenant environment:
-
List the certificates in the environment and examine the response to find the ID of the certificate you intend to delete, represented by the
id
key. -
If you have not done so already, deactivate the certificate to uninstall it from the environment’s load balancer.
-
Get an access token created with the
fr:idc:certificate:*
scope. -
Delete the certificate:
$ curl \ --request DELETE 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2) --header 'Authorization: Bearer <access-token>' \(3) --header 'Content-Type: application/json'
1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment. 2 Replace <certificate-id> with the certificate ID you found in step 1. 3 Replace <access-token> with the access token.
Create a custom CA certificate and a self-signed certificate
-
Create a CSR and save it in a local file called
csr.pem
: -
Create a CA certificate and private key:
-
Save the following OpenSSL configuration in a local file called
openssl-req-ca.conf
:[ req ] (1) x509_extensions = x509_req_ext [ x509_req_ext ] (2) subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign
1 Configures the openssl req
command.2 Configures the openssl req
command when using thex509
flag to create a CA certificate. -
Generate a CA certificate and private key:
$ openssl req \ -x509 -nodes -newkey rsa:2048 -sha256 -days 30 \ -out ca.cert.pem -keyout ca.key.pem \ -subj "/CN=Self-signing CA" \ -config openssl-req-ca.conf
-
Review the CA certificate and private key, which are respectively in the local files
ca.cert.pem
andca.key.pem
:-
For examples of a certificate and private key, learn more in PEM-formatted certificate examples.
-
To check the information in the certificate, learn more in Check a certificate.
-
-
-
Create a signed certificate:
-
Save the following OpenSSL configuration in a local file called
openssl-req-sign.conf
:[ req ] (1) x509_extensions = x509_req_ext [ x509_req_ext ] (2) subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth
1 Configures the openssl req
command.2 Configures the openssl req
command when using thex509
flag to sign a CSR. -
Generate a signed certificate using the CSR, the CA certificate and private key, and the configuration in
openssl-req-sign.conf
:$ openssl req \ -x509 -nodes -sha256 -days 30 -copy_extensions copy \ -in csr.pem -out cert.pem -CA ca.cert.pem -CAkey ca.key.pem \ -config openssl-req-sign.conf
-
Review the certificate, which is in the local file
cert.pem
:-
For an example of a certificate, learn more in PEM-formatted certificate examples.
-
To check the information in the certificate, learn more in Check a certificate.
-
-
Check a CSR
To check the information in a CSR, run this command:
$ openssl req -in <csr-filename> -noout -text (1)
1 | Replace <csr-filename> with the name of the local file containing your CSR; for example, csr.pem . |
Show response
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = www.pingidentity.com, O = Ping Identity Corporation, OU = IT, C = US, street = 1001 17th Street, L = Denver, ST = Colorado, postalCode = 80202, emailAddress = example.user@pingidentity.com, businessCategory = Private Organization, serialNumber = 3463471, jurisdictionC = US, jurisdictionL = Wilmington, jurisdictionST = Delaware (1)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:df:cf:53:47:8b:6a:51:23:0c:b9:8d:65:31:13:
26:6b:65:05:46:50:64:2c:97:4b:21:ac:72:99:54:
0c:d9:44:f1:74:c8:cd:55:09:67:7f:a2:f9:47:e5:
d4:fb:ec:fd:e9:c5:fd:77:30:30:79:f4:86:a3:c1:
72:2e:92:ca:74:93:44:65:4d:6f:b1:09:36:8d:b2:
c5:97:16:5e:d2:0d:49:42:91:93:da:01:02:9d:cf:
c4:af:99:1e:1f:80:f9:61:ab:60:14:25:d5:91:a9:
8f:f3:86:01:a1:33:95:10:6c:2a:60:19:6c:49:87:
4c:6f:f5:16:b0:54:2a:95:e1:32:c2:bd:3b:92:06:
3a:07:61:fa:01:72:3e:ca:02:e6:db:73:6a:4a:e7:
7a:ea:24:a7:75:a6:3c:ab:16:e2:c2:52:db:61:2f:
df:22:5d:b7:8b:67:31:4a:44:12:7e:94:af:b5:78:
31:97:09:68:da:07:28:71:61:a4:8b:6f:ce:27:70:
07:d5:12:58:cf:d1:4b:a9:a3:25:c9:a2:3d:08:5e:
1c:b3:b3:54:eb:93:90:55:65:01:0f:13:24:da:b3:
32:50:bf:d4:c3:71:8f:3b:82:25:11:e7:67:44:dd:
69:71:13:b3:6a:86:d2:a4:7f:25:01:c0:8f:71:96:
16:75
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name: (2)
DNS:support.pingidentity.com, DNS:labs.pingidentity.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
ab:6d:a7:14:8a:07:6b:69:c8:f7:e9:1f:ca:d3:d4:6d:53:ad:
4e:f7:91:aa:ec:1a:50:a3:08:0d:05:41:eb:17:ab:c0:30:d6:
53:2c:24:2f:d3:20:e8:7a:ae:d6:f9:81:a0:d2:a5:ad:44:24:
35:51:c1:d8:2c:f6:32:d5:9b:35:64:4a:d0:76:47:8f:1e:7e:
7d:fe:67:66:fd:a9:f0:c4:d4:18:37:a5:7b:50:af:25:34:76:
14:ac:ba:e7:5a:40:eb:ba:cd:16:09:59:71:e4:88:ab:43:fb:
ff:a1:8d:ae:5f:cc:62:1d:46:19:28:0a:74:fe:e3:59:e9:63:
42:65:db:ef:14:29:53:03:53:8d:17:5f:b2:dd:b9:9d:27:fe:
11:ec:44:07:ef:27:6c:8a:18:63:6c:7c:a4:f4:bb:2e:ee:d5:
ae:4a:79:80:e0:24:6b:db:01:c1:03:6f:c8:6b:8b:c9:72:46:
51:3b:a9:00:7a:c6:fc:28:60:8b:13:88:4c:1d:21:f2:19:de:
c0:a2:99:78:40:74:af:4f:c2:62:3b:6e:d0:9a:12:b1:7a:54:
2c:42:38:d8:f4:27:be:6e:0e:7f:40:ee:54:81:e2:63:da:95:
84:33:a5:48:61:dd:88:10:41:cc:d8:62:e9:3a:61:85:7d:06:
55:04:19:ff
1 | Check the subject contains the fields you entered for the CSR, particularly for EV certificates. |
2 | If you entered SANs for the CSR, check the SAN extension is present. |
Check a certificate
To check the information in a certificate, run this command:
$ openssl x509 -in <certificate-filename> -text -noout (1)
1 | Replace <certificate-filename> with the name of the local file containing your certificate; for example, cert.pem . |
Show response
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Self-signing CA
Validity
Not Before: May 2 12:07:51 2024 GMT
Not After : Jun 1 12:07:51 2024 GMT (1)
Subject: CN = www.pingidentity.com, C = US, ST = Colorado, L = Denver, O = Ping Identity Corporation, OU = IT (2)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:52:11:d0:47:34:32:26:85:ae:c8:db:e1:59:
9c:88:07:e2:e1:08:65:6c:91:97:e4:e6:33:bb:4c:
24:ef:bd:c1:98:e7:c4:6b:6e:40:30:d5:ca:b8:f6:
d4:23:ae:4f:2a:e2:93:a3:dc:1b:76:dc:9f:ff:ad:
22:23:49:26:18:9e:90:f7:41:7c:7d:89:79:0b:ce:
b3:f6:e2:ce:e0:81:a6:d8:7a:e0:1a:5a:dd:7c:85:
ff:e8:5b:bc:e5:2a:0a:23:0e:69:cf:2b:fd:cf:7a:
d2:d8:5d:fa:61:7f:d5:ef:a0:9c:8a:6d:4c:74:6e:
98:36:38:3e:04:8e:f5:82:32:8c:5d:a8:f4:02:f3:
ad:54:f0:d9:11:8f:88:7f:0b:64:87:97:61:61:d9:
10:7f:54:53:49:e2:fd:90:e3:67:a2:b8:56:b4:7f:
4c:bc:d9:9c:33:96:8d:9a:c3:7c:85:58:47:02:38:
05:80:a6:e3:95:7c:4c:51:46:9f:d6:81:7e:56:12:
cf:35:be:01:57:15:65:f0:d4:9f:61:1f:ba:93:a5:
79:84:de:7a:ba:23:04:fa:9a:f4:99:16:60:0c:ef:
80:99:3c:fd:5d:af:09:8c:6e:02:2d:a8:02:01:bd:
b8:90:00:12:f8:c4:4c:a2:9c:71:e9:22:c4:89:19:
35:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7B:1D:14:C9:3C:4A:67:37:A2:E5:BE:B5:30:19:BE:EF:E6:08:B3:D6
X509v3 Authority Key Identifier:
6E:41:13:8E:26:E4:B0:7E:63:ED:07:0C:4E:2D:CD:FA:66:28:20:21
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name: (3)
DNS:support.pingidentity.com, DNS:labs.pingidentity.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
22:60:ab:f8:13:cd:af:36:62:06:c5:fe:d4:eb:4f:7e:17:d1:
c9:c9:82:56:97:8e:d5:f1:55:33:64:d2:4f:7f:ab:75:e0:28:
61:35:56:59:ed:7a:a5:a6:6c:94:e7:3c:e1:c5:9c:1c:9e:43:
24:cd:49:f5:b9:d5:0e:81:2b:c5:03:1f:30:36:a3:97:cf:b4:
f4:a1:55:d0:5d:d8:47:de:cf:f2:df:b9:6c:ff:a1:37:f2:61:
98:5f:a6:d1:d9:2c:c2:f3:50:71:51:6b:95:ec:d1:be:b3:f1:
9a:04:29:ad:62:f4:f5:e5:a7:7b:89:d5:a7:4c:4a:e5:88:eb:
d5:d9:3a:5f:9c:97:01:79:00:dc:76:05:e4:f6:3a:74:61:aa:
27:53:60:25:73:39:fd:0c:9b:bf:8e:61:32:59:f8:f3:d7:92:
e4:e8:ba:b3:63:8b:59:b0:e2:16:06:3a:43:0b:ec:00:f8:ad:
4d:fb:81:50:83:f1:87:f0:2d:91:09:43:3a:03:a2:13:00:db:
0c:3e:9d:e5:53:9d:ac:ad:87:de:1a:25:5e:2e:c0:7c:17:fe:
21:61:94:01:d3:3b:96:e7:83:0b:a9:d1:c8:0d:fa:03:93:0a:
67:c5:8d:dd:ad:68:c6:7a:1d:5c:a5:df:cd:0b:d9:de:83:0f:
20:42:83:61
1 | Check the expiry date. |
2 | Check the subject contains the fields you entered for the CSR, particularly for EV certificates. |
3 | If you entered SANs for the CSR, check the SAN extension is present. |
PEM-formatted certificate examples
The contents of a PEM-formatted CSR, private key, and certificate should look something like these examples:
-
CSR example
-
Private key example
-
Certificate example
-----BEGIN CERTIFICATE REQUEST-----
MIIDTTCCAjUCAQAwgbcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQHEwZEZW52ZXIxGTAX
BgNVBAkTEDEwMDEgMTd0aCBTdHJlZXQxIjAgBgNVBAoTGVBpbmcgSWRlbnRpdHkg
Q29ycG9yYXRpb24xCzAJBgNVBAsTAklUMR0wGwYDVQQDExR3d3cucGluZ2lkZW50
aXR5LmNvbTEsMCoGCSqGSIb3DQEJARYdZXhhbXBsZS51c2VyQHBpbmdpZGVudGl0
eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtQMavyinYUbzz
uIWq5HtqNE4lkO1kV+JzoIxXY5Ytr/ooyy0m3Xb8SycNGeA+X4eDeBuOX1LUOuSl
sOJYyf4mbHKirgojMJ4oj1ysv4DK2GTJOcAnsqXo5Hd+ahOxD8SLvta8S6qYo2ME
VnujZC0ghVi6+9Q11xavcsCLf3LnBe0oYZ7qUEyyNnx4KjvOpDhy+UH9LHvt7Cur
fOCM0l2guX5+VuRVgkHWOtIi3lIF64a9JSpTFY3Z+ikLlGCXtkCtSdSRMiEITpcR
RBYQkCjivF7xzQ0jipL/CtT7no4LWhy72dS3oyuTNeTtyPu8Mbk4EicnVzQtO5iL
xBK+AMv7AgMBAAGgUDBOBgkqhkiG9w0BCQ4xQTA/MD0GA1UdEQEB/wQzMDGCGHN1
cHBvcnQucGluZ2lkZW50aXR5LmNvbYIVbGFicy5waW5naWRlbnRpdHkuY29tMA0G
CSqGSIb3DQEBCwUAA4IBAQBCxK33xB9UTZRJi9Bi02HA06plcrHVdYONuZOSadP+
PdHYV6BoUMvCznzH6uzYdS+aEKrmVa2r6/4CvafvdcxRqTa0dtMAuVJBltlXjmoX
/+xU4rKXwlX1Y+05ZE7waskv4wnTryfE2eNsloiiZazu2zNsnk5MQouJTrLxSH2u
a3eG9B2Xg8H7tSu8tFuaiwdV+YamjG5qDVU8NRhs1JtQg9OJtCG907WQsN+eUys4
vem0rmJ/vI9djVLe2953N1or/gqC2s/0ZnxdsxfXgp4ChYPoxmIA1BEh8MUREqk/
dSPgWeMMVFQwlmljkE+cvGl9L3f7aPgXtR6nxPS/oTSl
-----END CERTIFICATE REQUEST-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIdwl71gz4G1UCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECGBfrYt/Ot8sBIIEyB+W3xwf7sbl
XsiQdmnI2ls8ynL0tnULGA404TayGgQIC+bChUdjiw7+n1gaSSfZQAB/nhsOCiuK
Ry9UL6k0ZvjOEyI1l2XEbBswpazh1MKfaqvuCME60O98ntbo+isP/fHzg1JBDYul
/yDFVNj9P7nGRHLdBXU3W9/5hMDzLf5HZSsLi9U4Nfcbs/asbKasHYVm88Qm/I9H
f34YPrwRGYyQCltRKQvNA5z3f8A4GmrXBeED/Incdjf3pxmf+birvzCfK1WYOwgl
J7SfWWKSj55leHvDBmfJcE4TlNDBme+BQ2lUtZ6yvLBzts32EpjqCR2oLwN9h47E
BE8bJjOJ3vEzUWsUxJbi0vkue42fnxFf3n70HemfYO8grQVFP3H2YyBKRC0Dwp2R
xPLldQ6TRFZvTyCxGsAlpo+En9tQHFMaS3RvWp2mWEGqHf0CaSb0aBdt/clbNsPd
HCX5EAghTxZAjWNRTmkihsg6HYXF1uWU6x1h0sZm/xhEEUebdFXFwoYX7tvRFIxp
OJdH+avLp7x33Oyt0jMmaCuZl3uDBnpjzxJT9TwhwSgm/dWBT0b9PPYfB1oPuMwg
pFBi7K9SUxgBSI6ZSISxuf0juFIkIo12ghB6gO6mWoCLC1qSCd0oL3ajP4kWIKBE
a8GIA3EruvF+bQleoHIs7mwOVKkmct59eLJ9UxZzIo6eaAJFJBWBeLGsKB2VyW+p
Fa6lR/mMDH0Jaoh4zMj+K4WVNUXoUoDCe+ERnAqTp0z97bHZDQn0qAdrP79Nh/To
KoD02s0dJl7sOPDso958DE/nP5NmEo46boLFi4NHZDxTxq70zVn1VPfxsXIgfaNA
lbBQu/i+3hjDxoosYMYhIUUYz4X6RzJaC425DFBsW4l8nzEGOhXxlRE8w4G/NgNT
L3JpeKX6tyYYHlNSD2KeSmIb5qC8dqZB640KSH2V6Set1/4sOGMzGtuVa6DYVAic
XtVY8gRy9+os5nsLvI8M9V0j+F/aI3tJ3gjws2eA3cIrbQxCmezsiRG3dt110voc
MDYOdns8jDdi6ViOVQFOQwgo7ekMmnUWuOYavdJXwnyBdT7Prlr1bLFerf4pLfKN
orBgdL1cwyvFjiSi59wbh65zGBvkMbcvvYwo8hh0G3NaST2Q4arLPaZdvpncjVD6
Dr12KFWrsPecg4HtlRVkedlew1De/s+KtIc+dhphL45MF2l9rnOe83tL8qMQI6qE
Q0bYvEOcqkNm0zEWyQCE/m6MpjvvUqS14RBspeIKI4lwvcEJ4jUnPMlmlxJ8EHtn
TfP4xx+KQ7/rjgFUq06qkLu34g3cY+BBzxb1BLSr7kykezU8Dl0qtQFlGUlFQNcC
1AxyB2YV38LfL4wUEF4SvOxQjhmHXQu+L0OApf/wQlKNkbyFR3JfEI+WiW0sQJ3d
PQQnCWorwiWYQXlImY7Zsb30AJOzVB3oX1Pt5NbyK35wUTTWT4kv+giK2SrfJqa0
90PabaDl6/H1h5ushRqmyZibLFIJaoEzR8+82wllHgJwu8NX3N7+Tgx9yCNX4+3r
SNkZ4QZiyo+n2kwvt20lWDCRTLZVXQkaTjqwdr8QZsqOBcmbdLdxv2ctf+umsjAS
Rv8K9FiTy5DNswa1ZE3jYA==
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDvDCCAqSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9TZWxm
LXNpZ25pbmcgQ0EwHhcNMjQwNTAyMTIwNzUxWhcNMjQwNjAxMTIwNzUxWjCBgTEd
MBsGA1UEAwwUd3d3LnBpbmdpZGVudGl0eS5jb20xCzAJBgNVBAYTAlVTMREwDwYD
VQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMSIwIAYDVQQKDBlQaW5nIElk
ZW50aXR5IENvcnBvcmF0aW9uMQswCQYDVQQLDAJJVDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANBSEdBHNDImha7I2+FZnIgH4uEIZWyRl+TmM7tMJO+9
wZjnxGtuQDDVyrj21COuTyrik6PcG3bcn/+tIiNJJhiekPdBfH2JeQvOs/bizuCB
pth64Bpa3XyF/+hbvOUqCiMOac8r/c960thd+mF/1e+gnIptTHRumDY4PgSO9YIy
jF2o9ALzrVTw2RGPiH8LZIeXYWHZEH9UU0ni/ZDjZ6K4VrR/TLzZnDOWjZrDfIVY
RwI4BYCm45V8TFFGn9aBflYSzzW+AVcVZfDUn2EfupOleYTeerojBPqa9JkWYAzv
gJk8/V2vCYxuAi2oAgG9uJAAEvjETKKccekixIkZNT8CAwEAAaOBpDCBoTAdBgNV
HQ4EFgQUex0UyTxKZzei5b61MBm+7+YIs9YwHwYDVR0jBBgwFoAUbkETjibksH5j
7QcMTi3N+mYoICEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MDoGA1UdEQQzMDGCGHN1cHBvcnQucGluZ2lkZW50aXR5LmNvbYIVbGFicy5waW5n
aWRlbnRpdHkuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAiYKv4E82vNmIGxf7U609+
F9HJyYJWl47V8VUzZNJPf6t14ChhNVZZ7XqlpmyU5zzhxZwcnkMkzUn1udUOgSvF
Ax8wNqOXz7T0oVXQXdhH3s/y37ls/6E38mGYX6bR2SzC81BxUWuV7NG+s/GaBCmt
YvT15ad7idWnTErliOvV2TpfnJcBeQDcdgXk9jp0YaonU2Alczn9DJu/jmEyWfjz
15Lk6LqzY4tZsOIWBjpDC+wA+K1N+4FQg/GH8C2RCUM6A6ITANsMPp3lU52srYfe
GiVeLsB8F/4hYZQB0zuW54MLqdHIDfoDkwpnxY3drWjGeh1cpd/NC9negw8gQoNh
-----END CERTIFICATE-----