Create Signing Certificate and Keys

1. Pre-requisites: Java JDK8 or later must be preinstalled.

2. Open the terminal / command prompt on the machine (/local) and navigate to the directory where you wish to create the Private/Public keys.

3. Run the following commands one by one (use appropriate pass-codes and pass-phrases where necessary):

   1. To generate self-signed key pair:

      Copy

      keytool -genkey -keyalg RSA -alias assert3 -keystore sampleKeystore.jks -storepass Sailpoint@123 -validity 365 -keysize 2048

      Input the appropriate information:

      Copy

      What is your first and last name?
        [Unknown]:  Test User
      What is the name of your organizational unit?
        [Unknown]:  Sailpoint
      What is the name of your organization?
        [Unknown]:  Sailpoint
      What is the name of your City or Locality?
        [Unknown]:  Pune
      What is the name of your State or Province?
        [Unknown]:  Maharashtra
      What is the two-letter country code for this unit?
        [Unknown]:  IN
      Is CN=Test User, OU=Sailpoint, O=Sailpoint, L=Pune, ST=Maharashtra, C=IN correct?
        [no]:  yes
      
      Enter key password for <assert3> Sailpoint@123
        (RETURN if same as keystore password):  
      Re-enter new password: Sailpoint@123
      
      Warning:
      The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore sampleKeystore.jks -destkeystore sampleKeystore.jks -deststoretype pkcs12".
      

      This command will create a unique keystore on the machine, for example sampleKeystore.jks

   2. To export the public key for signing the JWT assertion:

      Copy

      keytool -exportcert -alias assert3 -file assert3.cer -keystore sampleKeystore.jks -storepass Sailpoint@123

      This command will create a public key on the machine, for example assert3.cer

   3. To convert the keystore to P12 format:

      Copy

      keytool -importkeystore -srckeystore sampleKeystore.jks -srcstorepass Sailpoint@123 -srckeypass Sailpoint@123 -srcalias assert3 -destalias assert3 -destkeystore assert3.p12 -deststoretype PKCS12 -deststorepass Sailpoint@123 -destkeypass Sailpoint@123

      This will create the pkcs12 encoded public key, for example assert3.p12

   4. To export the private key from the P12 keystore:

      Copy

      openssl pkcs12 -in assert3.p12 -nodes -nocerts -out private3_key.pem

      This command will create the private key using P12 formatted keystore, for example private3_key.pem

      Copy

      Enter Import Password: Sailpoint@123
      MAC verified OK

   5. To extract the private key & public key in a single text file:

      Copy

      openssl pkcs12 -in assert3.p12 -out keys_out.txt -nodes

      This command will extract the private and public key in text file, for example key_out.txt

      Copy

      Enter Import Password: Sailpoint@123
      MAC verified OK
      Enter PEM pass phrase: Sailpoint@123
      Verifying - Enter PEM pass phrase: Sailpoint@123