KB-1108 How to create a self-signed certificate for SAML authentication

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.

Refer to SAML Configuration for more information.

Certificate Generation

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

  1. Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
  2. Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
  3. Open a terminal or command prompt and navigate to the OpenSSL bin directory.
  4. Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
  5. Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
  6. Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
    • If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
  7. Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
  8. Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
    • Note: You must include the header and footer!
  9. Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

  1. In the IIS Manager, navigate to the Features view and double-click Server Certificates.
  2. In the Actions pane, click Create Self-Signed Certificate
  3. On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
  4. The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
  5. Select a directory to export the certificate to and enter a password for the certificate.
  6. This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
    1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
    2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
  7. Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Common Questions Regarding SAML Certificates

What should we set the "common name" to be when generating a certificate?

The common name can be any desired value. There is no restriction on common name from the Appian side.

What is the private key used for when generating the certificate?

The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.

Can the certificate be signed by any trusted Certificate Authority (CA), like our internal Microsoft CA, or does it need to be a mutually-trusted certificate, such as a certificate signed by Symantec or another CA?

There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: March 2021

Related
Recommended