KB-1108 How to create a self-signed certificate for SAML authentication

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.

Refer to SAML Configuration for more information.

Certificate Generation

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using OpenSSL:

  1. Install either an OpenSSL 1.0.1 or 1.0.2 package, freely available here. OpenSSL is commonly distributed with the Apache web server. Please note that Appian does not currently support certificates with an encrypted private key created with OpenSSL 1.1.0.
  2. Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
  3. Open a terminal or command prompt and navigate to the OpenSSL directory.
  4. Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
  5. Follow the prompts to create the certificate file. All fields can be left blank with the exception of the PEM pass phrase. This will create the file my-certificate.pem in the current directory.
  6. Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

  1. In the IIS Manager, navigate to the Features view and double-click Server Certificates.
  2. In the Actions pane, click Create Self-Signed Certificate
  3. On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
  4. The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
  5. Select a directory to export the certificate to and enter a password for the certificate.
  6. This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
    1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
    2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
  7. Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Common Questions Regarding SAML Certificates

What should we set the "common name" to be when generating a certificate?

The common name can be any desired value. There is no restriction on common name from the Appian side.

What is the private key used for when generating the certificate?

The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.

Can the certificate be signed by any trusted Certificate Authority (CA), like our internal Microsoft CA, or does it need to be a mutually-trusted certificate, such as a certificate signed by Symantec or another CA?

There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: February 2017

Related
Recommended