PingOne Advanced Identity Cloud

Server certificate utility tasks

Create a self-signing CA certificate and a self-signed certificate

  1. Create a CSR and save it in a local file called csr.pem:

  2. Create a self-signing CA certificate and private key:

    1. Save the following OpenSSL configuration in a local file called openssl-req-ca.conf:

      [ req ] (1)
x509_extensions = x509_req_ext

[ x509_req_ext ]  (2)
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = critical, CA:TRUE
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
      1 Configures the openssl req command.
      2 Configures the openssl req command when using the x509 flag to create a CA certificate.

    2. Generate a self-signing CA certificate and private key:

      $ openssl req \
-x509 -nodes -newkey rsa:2048 -sha256 -days 30 \
-out ca-cert.pem -keyout ca-key.pem \
-subj "/CN=Self-signing CA" \
-config openssl-req-ca.conf

    3. Review the self-signing CA certificate and private key, which are respectively in the local files ca-cert.pem and ca-key.pem:

  3. Create a self-signed certificate:

    1. Save the following OpenSSL configuration in a local file called openssl-req-sign.conf:

      [ req ] (1)
x509_extensions = x509_req_ext

[ x509_req_ext ]  (2)
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
keyUsage                = critical, digitalSignature
extendedKeyUsage        = serverAuth
      1 Configures the openssl req command.
      2 Configures the openssl req command when using the x509 flag to sign a CSR.

    2. Generate a self-signed certificate using the CSR, the self-signing CA certificate and private key, and the configuration in openssl-req-sign.conf:

      $ openssl req \
-x509 -nodes -sha256 -days 30 -copy_extensions copy \
-in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem \
-config openssl-req-sign.conf

    3. Review the self-signed certificate, which is in the local file cert.pem:

Check a CSR

To check the information in a CSR, run this command:

$ openssl req -in <csr-filename> -noout -text (1)
1 Replace <csr-filename> with the name of the local file containing your CSR; for example, csr.pem.
Show output 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = www.pingidentity.com, O = Ping Identity Corporation, OU = IT, ⏎
                 C = US, street = 1001 17th Street, L = Denver, ST = Colorado, ⏎
                 postalCode = 80202, emailAddress = example.user@pingidentity.com, ⏎
                 businessCategory = Private Organization, serialNumber = 3463471, ⏎
                 jurisdictionC = US, jurisdictionL = Wilmington, ⏎
                 jurisdictionST = Delaware (1)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:df:cf:53:47:8b:6a:51:23:0c:b9:8d:65:31:13:
                    ...8<...
                    69:71:13:b3:6a:86:d2:a4:7f:25:01:c0:8f:71:96:
                    16:75
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: (2)
                    DNS:support.pingidentity.com, DNS:labs.pingidentity.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        ab:6d:a7:14:8a:07:6b:69:c8:f7:e9:1f:ca:d3:d4:6d:53:ad:
        ...8<...
        84:33:a5:48:61:dd:88:10:41:cc:d8:62:e9:3a:61:85:7d:06:
        55:04:19:ff
1 Check the subject contains the fields you entered for the CSR, particularly for EV certificates.
2 If you entered SANs for the CSR, check the SAN extension is present.

Check a certificate

To check the information in a certificate, run this command:

$ openssl x509 -in <certificate-filename> -text -noout (1)
1 Replace <certificate-filename> with the name of the local file containing your certificate; for example, cert.pem.
Show output 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Self-signing CA
        Validity
            Not Before: May  2 12:07:51 2024 GMT
            Not After : Jun  1 12:07:51 2024 GMT (1)
        Subject: CN = www.pingidentity.com, C = US, ST = Colorado, L = Denver, ⏎
                 O = Ping Identity Corporation, OU = IT (2)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d0:52:11:d0:47:34:32:26:85:ae:c8:db:e1:59:
                    ...8<...
                    b8:90:00:12:f8:c4:4c:a2:9c:71:e9:22:c4:89:19:
                    35:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                7B:1D:14:C9:3C:4A:67:37:A2:E5:BE:B5:30:19:BE:EF:E6:08:B3:D6
            X509v3 Authority Key Identifier:
                6E:41:13:8E:26:E4:B0:7E:63:ED:07:0C:4E:2D:CD:FA:66:28:20:21
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: (3)
                DNS:support.pingidentity.com, DNS:labs.pingidentity.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        22:60:ab:f8:13:cd:af:36:62:06:c5:fe:d4:eb:4f:7e:17:d1:
        ...8<...
        67:c5:8d:dd:ad:68:c6:7a:1d:5c:a5:df:cd:0b:d9:de:83:0f:
        20:42:83:61
1 Check the expiry date.
2 Check the subject contains the fields you entered for the CSR, particularly for EV certificates.
3 If you entered SANs for the CSR, check the SAN extension is present.