NOTE - One Identity Support does not assist with certificate creation. The below information is provided as a general set of steps on how to create a self-signed certificate within Windows using OpenSSL. Professional Services engagement would be required for assistance outside of the information provided below. For assistance engaging with Professional Services please contact the Account Representative responsible for Safeguard Authentication Services.
Please start by downloading and installing the following (if not already installed):
1.) The latest OpenSSL release for Windows, which can be found by clicking on this text.
2.) The latest Java release (if not installed already), which can be found by clicking on this text.
Once OpenSSL is installed please run the following command to create a self-signed certificate and key:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=HOST.FULL.DOMAIN.HERE'
NOTE 1 - Please change HOST.FULL.DOMAIN.HERE to the hostname.fqdn of the host running the MCU. The CN (Common Name) must match the hostname.fqdn of the host running the MCU otherwise the certificate will not function correctly.
NOTE 2 - Please ensure to set a password when prompted, if left without a password the certificate will fail to upload later.
NOTE 3 - The number of days, which in the command below is 365 (1 year), can be changed. This is the number of days before the certificate expires.
Once the self-signed certificate and key have been created run the next command to combine them into .pfx format:
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem
NOTE - Please ensure this command is run from the directory where the key.pem and cert.pem are located which were created from the previous command. If renamed or in a different directory, please ensure to change this in the above command.
Once the certificate.pfx is created please see the following knowledge base article to upload/replace the certificate within the MCU: