Certificate enrollment with #PKCS10 signing requests

English on July 24th, 2019 No Comments

Author: Ming Yu

This is a step-by tutorial focusing on how to log in with a X.509 certificate to SSOCircle IDP instead of using username password (REM: the process described here is not related to the use of certificates in SAML SSO). The tutorial uses Chrome browser and Windows OS.

1. Log in with your username and password and get into your user profile. From the left navigation bar, choose “My Client Certificate”.
csrtut1

2. Click “New Certificate Enrollment”, choose “Certificate Enrollment PKCS#10″ and you will be asked to enter Certificate Signing Request(CSR).
mingy2

3. Now we need some tools to generate a Certificate Signing Request (CSR). In this tutorial, OpenSSL for Windows is used. After installing, open CMD prompt and go to the bin folder where OpenSSL was installed, entering following command:

openssl req -new -newkey rsa:2048 -nodes -out tutorial.csr -keyout tutorial.key -subj "/C=DE/O=ssocircle/CN="
mingy3

You will get two files, “tutorial.key” and “tutorial.csr”. Open “tutorial.csr” with your favorite editor (e.g. notepad) and copy & paste the content into the form described in the previous step and click “submit”.
mingy4

As a result the certificate is generated, displayed and provided for download.
mingy5

4. You got a file named “user.crt”, cut and paste it into the folder location where “tutorial.key” is stored. You now need to merge both files into a #PKCS12 pfx file. The command is:
openssl pkcs12 -export -out tutorial.pfx -inkey tutorial.key -in user.crt

5. Double click “tutorial.pfx” file and import it into Windows Certificate Manager. After successful install, you can see it listed in the certificate manager.
mingy6

As a successful test you can now logout and login again by clicking “Certificate Log In”, if the certificate was installed correctly, a selection window pops up where you need to choose the certificate and then you are logged in without entering username or password.

Tags: , ,

No Responses to “Certificate enrollment with #PKCS10 signing requests”

Leave a Reply

You must be logged in to post a comment.