KB-1108 How to create a self-signed certificate for SAML authentication

Purpose

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. For more information, review the SAML Configuration documentation as well as KB-1153 SAML Authentication FAQ.

Instructions

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

1. Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
2. Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
3. Open a terminal or command prompt and navigate to the OpenSSL bin directory.
4. Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
5. Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
6. Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
   • If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
7. Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
8. Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
   • Note: You must include the header and footer!
9. Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

1. In the IIS Manager, navigate to the Features view and double-click Server Certificates.
2. In the Actions pane, click Create Self-Signed Certificate
3. On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
4. The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
5. Select a directory to export the certificate to and enter a password for the certificate.
6. This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
   1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
   2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
7. Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2023