Generate Custom Certificate and Private Key Pairs

A public certificate and private key pair are required to successfully connect applications with JumpCloud. This certificate and key pair are used during SAML handshakes to successfully authenticate users during an SSO login. Learn more in Managing Public Certificates and Private Key Pairs.

If you do not want to use the pair generated during connector activation, you can generate your own certificate and private key pair. The commands below create a certificate that expires in 1095 days. A new pair should be generated prior to expiration to prevent loss of access to the Service Provider application.

Note:

By default, JumpCloud SSO SAML connectors support SHA-256 certificates.

Generating a Public Certificate/Private Key Pair using OpenSSL

Important:

These commands only work in Linux® and Mac® terminals. If you are using Windows, see Generating a TLS/SSL Certificate using a Windows®-based OpenSSL Binary.

openssl genrsa -out private.pem 2048
openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095

An example of the expected output:

openssl genrsa -out private.pem 2048

Generating RSA private key, 2048 bit long modulus
………………+++
.+++

e is 65537 (0x10001)

# openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Generating a TLS/SSL Certificate using a Windows®-based OpenSSL Binary

To download the OpenSSL application

  1. Download the appropriate OpenSSL zip file.

Note:

See Binaries for more information.

  1. Extract the OpenSSL zip file to a convenient folder.
  2. Download the openssl.cnf template and move it to the same convenient folder as the extracted zip file.

To generate a Public Certificate/Private Key pair

  1. Right-click the OpenSSL application (openssl.exe) in the convenient folder created in the previous section, and select Run as administrator.

Note:

Windows Defender may ask you to confirm that you would like to run this application. If this happens, click More Info and Run Anyway.

  1. When the Windows command window with the OpenSSL> command prompt appears, run the following:

genrsa -out private.pem 2048

req -new -x509 -key private.pem -out cert.pem -days 1095 -config .\openssl.cnf

Tip:

Ensure that the name and location of the certificate file is correct in the command.

  1. A form similar to the following text appears near the end of the process. Fill it out to finish generating your TLS/SSL certificate:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter '.', the field will be left blank.

- - - -

Organization Name (company) [My Company]:
Organizational Unit Name (department, division) []:
Email Address []:
Locality Name (city, district) [My Town]:
State or Province Name (full name) [State or Providence]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) []:

Determining the Sha256 Fingerprint

Sometimes an application will require the Sha256 fingerprint (thumbprint) in lieu of the certificate for its configuration. A fingerprint is a digest of the certificate in x509 binary format. To extract the fingerprint from your certificate, run the following command:

openssl x509 -sha256 -in cert.pem -noout -fingerprint

Tip:

If using Windows, you must run the OpenSSL app as an administrator and execute this command from the OpenSSL> command prompt:

x509 -sha256 -in cert.pem -noout -fingerprint

Determining the Sha1 Fingerprint

By default, JumpCloud creates sha256 certificates. If you need to extract a sha1 thumbprint for a prebuilt application connector, you can use this online tool to do so. Copy and paste the entire content of the certificate, including the beginning and end tags, ensure the Algorithm is set to SHA-1, and then click Calculate Fingerprint.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case