KB-1108 How to create a self-signed certificate for SAML authentication

pauline.delacruz — Mon, 04 Dec 2023 19:56:26 GMT

Current Revision posted to Appian Knowledge Base by pauline.delacruz on 12/4/2023 7:56:26 PM

Purpose

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. For more information, review the SAML Configuration documentation as well as KB-1153 SAML Authentication FAQ.

Instructions

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL bin directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
- If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
- Note: You must include the header and footer!
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2023

Tags: administration, SAML, admin console, how-to, authentication

KB-1108 How to create a self-signed certificate for SAML authentication

Elly Meng — Tue, 13 Jun 2023 14:48:16 GMT

Revision 6 posted to Appian Knowledge Base by Elly Meng on 6/13/2023 2:48:16 PM

Purpose

Instructions

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL bin directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
- If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
- Note: You must include the header and footer!
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: April 2021

Tags: administration, SAML, admin console, how-to, authentication

KB-1108 How to create a self-signed certificate for SAML authentication

Parmida Borhani — Mon, 12 Apr 2021 05:09:23 GMT

Revision 5 posted to Appian Knowledge Base by Parmida Borhani on 4/12/2021 5:09:23 AM

Purpose

Instructions

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL bin directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
- If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
- Note: You must include the header and footer!
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: April 2021

Tags: administration, SAML, admin console, how-to, authentication

KB-1108 How to create a self-signed certificate for SAML authentication

Parmida Borhani — Mon, 12 Apr 2021 05:08:49 GMT

Revision 4 posted to Appian Knowledge Base by Parmida Borhani on 4/12/2021 5:08:49 AM

Purpose

Certificate Generation

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL bin directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
- If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
- Note: You must include the header and footer!
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: April 2021

Tags: administration, SAML, admin console, authentication

KB-1108 How to create a self-signed certificate for SAML authentication

Parmida Borhani — Wed, 03 Mar 2021 01:54:03 GMT

Revision 3 posted to Appian Knowledge Base by Parmida Borhani on 3/3/2021 1:54:03 AM

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.

Refer to SAML Configuration for more information.

Certificate Generation

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using Apache OpenSSL:

Install Apache OpenSSL which is commonly distributed with the Apache web server, available here.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL bin directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. This will create the file my-certificate.pem in the current directory.
Open the newly generated my-certificate.pem in a text editor, such as Notepad++.
- If the certificate begins with -----BEGIN RSA PRIVATE KEY-----, proceed to step 9.
Open a terminal or command prompt, and within the OpenSSL bin directory execute the following to unencrypt your key: openssl rsa -in my-certificate.pem
Copy the output, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY----- and replace the section in your certificate beginning with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending with -----END ENCRYPTED PRIVATE KEY----- and save the certificate.
- Note: You must include the header and footer!
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Common Questions Regarding SAML Certificates

What should we set the "common name" to be when generating a certificate?

The common name can be any desired value. There is no restriction on common name from the Appian side.

What is the private key used for when generating the certificate?

The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.

Can the certificate be signed by any trusted Certificate Authority (CA), like our internal Microsoft CA, or does it need to be a mutually-trusted certificate, such as a certificate signed by Symantec or another CA?

There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: March 2021

Tags: administration, SAML, admin console, authentication

KB-1108 How to create a self-signed certificate for SAML authentication

Nick Vigilante — Thu, 03 May 2018 09:45:02 GMT

Revision 2 posted to Appian Knowledge Base by Nick Vigilante on 5/3/2018 9:45:02 AM

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.

Refer to SAML Configuration for more information.

Certificate Generation

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using OpenSSL:

Install either an OpenSSL 1.0.1 or 1.0.2 package, freely available here. OpenSSL is commonly distributed with the Apache web server. Please note that Appian does not currently support certificates with an encrypted private key created with OpenSSL 1.1.0.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. All fields can be left blank with the exception of the PEM pass phrase. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Common Questions Regarding SAML Certificates

What should we set the "common name" to be when generating a certificate?

The common name can be any desired value. There is no restriction on common name from the Appian side.

What is the private key used for when generating the certificate?

The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.

There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: February 2017

Tags: administration, SAML, admin console, authentication

KB-1108 How to create a self-signed certificate for SAML authentication

Nick Vigilante — Wed, 22 Feb 2017 22:51:10 GMT

Revision 1 posted to Appian Knowledge Base by Nick Vigilante on 2/22/2017 10:51:10 PM

Starting in Appian 7.11, SAML Authentication is configurable through the Administration Console. This configuration requires a Service Provider Signing Certificate to be provided. This article describes some options for generating a self-signed certificate in the required PEM format. Note that this certificate is only used for signing SAML requests and responses. This article also answers some common questions regarding SAML certificates.

Refer to SAML Configuration for more information.

Certificate Generation

A certificate in the PEM format can be generated using an OpenSSL-compatible tool, or a certificate in a different format can be converted into the PEM format.

To generate a certificate using OpenSSL:

Install the OpenSSL package, freely available here. OpenSSL is commonly distributed with the Apache web server.
Take note of the location of the OpenSSL configuration file, e.g. C:\apache\conf\openssl.cnf. This will be referred to as CONFIG_FILE_LOCATION.
Open a terminal or command prompt and navigate to the OpenSSL directory.
Execute the following command: openssl req -x509 -newkey rsa:2048 -keyout my-certificate.pem -out my-certificate.pem -days 3650 -config CONFIG_FILE_LOCATION
Follow the prompts to create the certificate file. All fields can be left blank with the exception of the PEM pass phrase. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

To generate a certificate using Windows Internet Information Services (IIS):

In the IIS Manager, navigate to the Features view and double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate
On the Create Self-Signed Certificate page, specify a name for the certificate, and then click OK.
The certificate will now be listed on the Server Certificates page. Select the new certificate and click Export in the Actions pane.
Select a directory to export the certificate to and enter a password for the certificate.
This will create a certificate file in the PFX format. To convert this to the PEM format, either use an online tool such as this SSL Converter, or use OpenSSL with the following steps:
1. Open a terminal or command prompt and navigate to the OpenSSL directory. Place the new PFX certificate my-certificate.pfx in the same directory.
2. Execute the following command: openssl pkcs12 -in my-certificate.pfx -out my-certificate.pem -nodes. When prompted, enter the password for the certificate. This will create the file my-certificate.pem in the current directory.
Upload my-certificate.pem as the Service Provider Signing Certificate in the SAML Authentication configuration page. If necessary, enter the PEM pass phrase you selected in the certificate creation wizard as the Service Provider Signing Certificate Password.

Common Questions Regarding SAML Certificates

What should we set the "common name" to be when generating a certificate?

The common name can be any desired value. There is no restriction on common name from the Appian side.

What is the private key used for when generating the certificate?

The private key will only be used for signing SAML assertions. It will NOT be used for SSL encryption for HTTPS communications.

There is no requirement for a CA-signed certificate from the Appian side. For a production environment, Appian Technical Support recommends using a CA signed certificate.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: February 2017

Tags: administration, SAML, admin console, authentication