Skip to content

Create Self-Signed Certificate

Management Console by default contains a self-signed certificate that can be used for SAML encryption. However, some organizations prefer to use their own self-signed certificates. In order to complete these steps, you may need to install a version of OpenSSL if you don't have one installed already.

If you want to update Management Console with a new self-signed certificate, perform the following steps:

Step 1: Generate RSA Private Key

To generate a RSA private key, at the command prompt, run the following command:

openssl command: openssl genrsa -out <key_output_path> <modulus_bit_length>


openssl genrsa -out samlkey.key 2048

D:\development\KEYSTOREGUIDE>openssl genrsa -out samlkey.key 2048
Generating RSA private key, 2048 bit long modulus
unable to write 'random state'
e is 65537 (0x10001)


Step 2: Generate Certificate request

Once a private key has been generated, you can create a certificate request which is needed to generate a self-signed certificate. The openssl command openssl req -new -key <key_path> -out <request_output_path> will be used to generate the certificate request.


openssl req -new -key samlkey.key -out samlcertrequest.csr

You will be prompted to enter the attributes such as country name, province, email address, etc.

D:\development\KEYSTOREGUIDE>openssl req -new -key samlkey.key -out samlcertrequest.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:AP
Locality Name (eg, city) []:HYD
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PRIME
Organizational Unit Name (eg, section) []:SECA
Common Name (e.g. server FQDN or YOUR name) []:PRIME
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:PRIME


Step 3: Generate Certificate

Once you have a private key and certificate request, you are ready to create a self-signed certificate.

openssl x509 -req -days <expiry_in_days> -in <cert_request_path> -signkey <private_key_path> -out <cert_output_path>


openssl x509 -req -days 3650 -in samlcertrequest.csr -signkey samlkey.key -out samlcert.crt

Note: The above generated certificate(samlcert.crt) should be uploaded in IDP.

D:\development\KEYSTOREGUIDE>openssl x509 -req -days 3650 -in samlcertrequest.csr -signkey samlkey.key -out samlcert.crt
Signature ok
Getting Private key
unable to write 'random state'