PingOne Advanced Identity Cloud

Manage SSL certificates using the API

For background on self-managed SSL certificates, learn more in Self-managed SSL certificates.

Certificate API endpoints

To use the certificate API, learn more in the following Advanced Identity Cloud API endpoints:

Authenticate to certificate API endpoints

To authenticate to certificate API endpoints, use an access token created with one of the following scopes:

Scope Description

fr:idc:certificate:*

Full access to certificate API endpoints. Use this scope to create, activate, deactivate, or delete certificates.

fr:idc:certificate:read

Read-only access to certificate API endpoints. Use this scope if you only need to List certificates.

Prerequisites

You need the openssl and jq command-line tools to run some of the commands. You can find installation instructions for your particular package manager in https://command-not-found.com/openssl and https://command-not-found.com/jq.

Create a certificate using a tenant-generated private key

You can create certificates using a private key the tenant generates for you and which is retained in the tenant. The benefit of this approach is there is no risk of accidentally leaking your private key as it never leaves the tenant. However, with this approach, you can only install a signed certificate on the same tenant from which you requested the CSR.

Step 1: Create a CSR using the certificate API

In this step, you create a certificate signing request (CSR). You’ll need this in the next step to create a self-signed certificate or to send to your preferred SSL certificate provider to create a CA-signed certificate.

  1. Create a JSON payload of CSR information:

    1. Adapt the following example configuration to suit your company:

      {
  "commonName": "www.pingidentity.com", (1)
  "organization": "Ping Identity Corporation",  (1)
  "organizationalUnit": "IT", (1)
  "country": "US", (1)
  "streetAddress": "1001 17th Street", (1)
  "city": "Denver", (1)
  "postalCode": "80202", (1)
  "email": "example.user@pingidentity.com", (1)
  "businessCategory": "Private Organization", (2)
  "serialNumber": "3463471", (2)
  "jurisdictionCountry": "US", (2)
  "jurisdictionLocality": "Wilmington", (2)
  "jurisdictionState": "Delaware", (2)
  "subjectAlternativeNames": ["support.pingidentity.com", "labs.pingidentity.com"] (3)
}
      1 Configures the standard CSR fields. All standard fields are included for demonstration, but this is not strictly necessary. Consult your SSL certificate provider’s documentation for the minimum required fields. Remove any fields that are not used rather than include them with an empty value.
      2 (Optional) Configures the EV CSR fields. All EV fields are included for demonstration, but only businessCategory, serialNumber, and jurisdictionCountryName are required.
      3 (Optional) Configures the subject alternative names (SANs). SANs are domains the certificate will secure in addition to the commonName. Wildcards values in SAN domains are not permitted.

    2. Save your adapted configuration in a local file called csr-payload.json.

  2. In the tenant environment where you intend to install the certificate:

    1. Get an access token created with the fr:idc:certificate:* scope.

    2. Create a CSR using the /environment/csrs endpoint:

      $ curl \
--request POST 'https://<tenant-env-fqdn>/environment/csrs' \ (1)
--header 'Authorization: Bearer <access-token>' \ (2)
--header 'Content-Type: application/json' \
--data "$(< csr-payload.json)" \ (3)
> tee csr-result.json (4)
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <access-token> with the access token.
      3 The request body is populated with the output of csr-payload.json.
      4 The response is stored in a local file called csr-result.json.
      Show response 
      {
  "algorithm": "SHA256-RSA",
  "createdDate": "2024-04-24T17:11:42Z",
  "id": "4f1caf97-bd2f-4d30-8e68-682fa10d27ff", (1)
  "request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDTTCCAjUCAQAwgbcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQHEwZEZW52ZXIxGTAX\nBgNVB ... MUREqk/\ndSPgWeMMVFQwlmljkE+cvGl9L3f7aPgXtR6nxPS/oTSl\n-----END CERTIFICATE REQUEST-----\n",
  "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US",
  "subjectAlternativeNames": [
    "support.pingidentity.com",
    "labs.pingidentity.com"
  ]
}
      1 The CSR ID is represented by the id key. You need this ID in a later step to update the CSR with the signed certificate. In this example, the CSR ID is 4f1caf97-bd2f-4d30-8e68-682fa10d27ff.

    3. Extract the CSR from the request key of the JSON object in csr-result.json:

      $ jq -r .request csr-result.json > csr.pem

    4. Review the contents of the CSR in csr.pem:

Step 2: Generate a signed certificate and create a certificate chain

In this step, you create a CA-signed or self-signed certificate, then create a PEM-formatted certificate chain.

  1. Create a certificate from the CSR in one of these ways:

    • CA-signed certificate:
      Supply the CSR to your preferred SSL certificate provider so they can generate a CA-signed certificate. Your SSL certificate provider should provide you with a signed certificate and a CA certificate. They may also provide intermediary certificates.

    • Self-signed certificate:
      Use OpenSSL to create a custom CA certificate and a self-signed certificate.

  2. Combine your signed certificate and CA certificate into a certificate chain and save it in the local file chain.pem. If you used an SSL certificate provider, add any intermediary certificates into chain.pem too, inserted between your signed certificate and the CA certificate:

    $ cat cert.pem [inter.cert.pem ...] ca.cert.pem > chain.pem

    The following is an example of what the certificate chain might look like:

    -----BEGIN CERTIFICATE-----
content of your signed certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content of an optional intermediate CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content of a CA certificate
-----END CERTIFICATE-----

Step 3: Install the certificate

In this step, you install the certificate in the tenant environment where you created the CSR request.

  1. Create a JSON payload of certificate information:

    1. Add the certificate chain to a JSON object:

      $ jq -Rs '{certificate: .}' ./chain.pem > payload.json

      Summary of command:

      • Creates a JSON object using the jq command. Learn more in Prerequisites.

      • Adds a certificate key to the JSON object set with the contents of chain.pem as a single line.

      • Saves the JSON object in a local file called payload.json.

    2. The contents of payload.json should look something like this:

      {
  "certificate": "-----BEGIN CERTIFICATE-----\ncontent of your signed certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of an optional intermediate CA certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of your CA certificate\n-----END CERTIFICATE-----\n"
}

  2. In the tenant environment where you created the CSR request in step 1.2 and intend to install the certificate:

    1. Get an access token created with the fr:idc:certificate:* scope.

    2. Upload the certificate using the /environment/csrs endpoint:

      $ curl \
--request PATCH 'https://<tenant-env-fqdn>/environment/csrs/<csr-id>' \(1) (2)
--header 'Authorization: Bearer <access-token>' \(3)
--header 'Content-Type: application/json' \
--data "$(< payload.json)" (4)
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <csr-id> with the CSR ID you noted in step 1, 2b.
      3 Replace <access-token> with the access token.
      4 The request body is populated with the output of payload.json.
      Show response 
      {
    "algorithm": "SHA256-RSA",
    "certificateID": "ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477", (1)
    "createdDate": "2024-05-03T12:49:29Z",
    "id": "11c5419e-c5de-466d-a7e7-d65afbde1217",
    "request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDozCCAosCAQAwgbcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQHEwZEZW52ZXIxGTAX\nBgNVB ... ABMyK1\nDVSVbrcuZMoxcnzZNynjGLe58iFS+ko=\n-----END CERTIFICATE REQUEST-----\n",
    "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US",
    "subjectAlternativeNames": [
        "support.pingidentity.com",
        "labs.pingidentity.com"
    ]
}
      1 The certificate ID is represented by the certificateID key. You need this ID to activate, deactivate, or delete the certificate. In this example, the certificate ID is ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477.

    3. Get the certificate information using the /environment/certificates endpoint:

      $ curl \
--request GET 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2)
--header 'Authorization: Bearer <access-token>' \(3)
--header 'Content-Type: application/json'
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <certificate-id> with the certificate ID you noted in the previous step.
      3 Replace <access-token> with the access token.
      Show response 
      {
    "active": false, (1)
    "expireTime": "2024-06-02T12:58:01Z",
    "id": "ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477", (2)
    "issuer": "CN=Self-signing CA",
    "live": false,  (3)
    "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d",
    "subjectAlternativeNames": [
        "support.pingidentity.com",
        "labs.pingidentity.com"
    ],
    "validFromTime": "2024-05-03T12:58:01Z"
}
      1 The active key is set to false which indicates that the certificate is not active. This is the default value for a new certificate.
      2 The certificate ID is represented by the id key. This is the same ID as in the certificateID key in the CSR response from the previous step.
      3 The live key returns the value false, which indicates the certificate is not installed in the environment’s load balancer. In the next step, you will set the active key to true. This triggers an asynchronous process that installs the certificate in the environment’s load balancer. When the asynchronous process is complete, the live key returns the value true.

    4. Activate the certificate to install it in the environment’s load balancer.

Create a certificate using a locally generated private key

You can create certificates using a private key you generate locally and retain access to. The benefit of this approach is once you have signed the certificate, you can install it with the private key on as many tenants as you need. However, to use this approach, you must have robust security practices when handling the private key.

Step 1: Create a CSR using the command line

In this step, you create a certificate signing request (CSR). You’ll need this in the next step to create a self-signed certificate or to send to your preferred SSL certificate provider to create a CA-signed certificate.

  1. Create an OpenSSL CSR configuration file:

    1. Adapt the following example configuration to suit your company:

      [ req ] (1)
prompt             = no (2)
distinguished_name = req_distinguished_name
req_extensions     = req_ext (5)

[ req_distinguished_name ]

# Standard CSR fields (3)
commonName             = www.pingidentity.com
organizationName       = Ping Identity Corporation
organizationalUnitName = IT
countryName            = US
streetAddress          = 1001 17th Street
localityName           = Denver
stateOrProvinceName    = Colorado
postalCode             = 80202
emailAddress           = example.user@pingidentity.com

# EV CSR fields (4)
businessCategory                = Private Organization
serialNumber                    = 3463471
jurisdictionCountryName         = US
jurisdictionLocalityName        = Wilmington
jurisdictionStateOrProvinceName = Delaware

[ req_ext ]  (5)
subjectAltName = @alt_names

[alt_names]  (5)
DNS.1 = support.pingidentity.com
DNS.2 = labs.pingidentity.com
      1 Configures the openssl req command.
      2 Configures the openssl req command to use the CSR values supplied in this configuration file instead of prompting for them.
      3 Configures the standard CSR fields. All standard fields are included for demonstration, but this is not strictly necessary. Consult your SSL certificate provider’s documentation for the minimum required fields. Remove any fields that are not used rather than include them with an empty value.
      4 (Optional) Configures the EV CSR fields. All EV fields are included for demonstration, but only businessCategory, serialNumber, and jurisdictionCountryName are required.
      5 (Optional) Configures the subject alternative names (SANs). SANs are domains the certificate will secure in addition to the commonName. Wildcard values in SAN domains are not permitted.

    2. Save your adapted configuration in a local file called openssl-csr.conf.

  2. Create a CSR:

    1. Generate a CSR and private key pair using the configuration in openssl-csr.conf:

      $ openssl req \
-nodes -newkey rsa:2048 \
-out csr.pem -keyout key.pem \
-config openssl-csr.conf

    2. Review the CSR and private key, which are respectively in the local files csr.pem and key.pem:

Step 2: Generate a signed certificate and create a certificate chain

In this step, you create a CA-signed or self-signed certificate, then create a PEM-formatted certificate chain.

  1. Create a certificate from the CSR in one of these ways:

    • CA-signed certificate:
      Supply the CSR to your preferred SSL certificate provider so they can generate a CA-signed certificate. Your SSL certificate provider should provide you with a signed certificate and a CA certificate. They may also provide intermediary certificates.

    • Self-signed certificate:
      Use OpenSSL to create a custom CA certificate and a self-signed certificate.

  2. Combine your signed certificate and CA certificate into a certificate chain and save it in the local file chain.pem. If you used an SSL certificate provider, add any intermediary certificates into chain.pem too, inserted between your signed certificate and the CA certificate:

    $ cat cert.pem [inter.cert.pem ...] ca.cert.pem > chain.pem

    The following is an example of what the certificate chain might look like:

    -----BEGIN CERTIFICATE-----
content of your signed certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content of an optional intermediate CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content of a CA certificate
-----END CERTIFICATE-----

Step 3: Install the certificate

In this step, you install the certificate and private key in your tenant environments.

  1. Create a JSON payload of certificate information:

    1. Add the certificate chain and private key to a JSON object:

      $ (jq -Rs '{certificate: .}' ./chain.pem; jq -Rs '{privateKey: .}' ./key.pem)  | jq -s add  > payload.json

      Summary of command:

      • Creates a JSON object using the jq command. Learn more in Prerequisites.

      • Adds a certificate key to the JSON object set with the contents of chain.pem as a single line.

      • Adds a privateKey key to the JSON object set with the contents of key.pem as a single line.

      • Saves the JSON object in a local file called payload.json.

    2. The contents of payload.json should look something like this:

      {
  "certificate": "-----BEGIN CERTIFICATE-----\ncontent of your signed certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of an optional intermediate CA certificate\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncontent of your CA certificate\n-----END CERTIFICATE-----\n",
  "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\ncontent of your private key\n-----END ENCRYPTED PRIVATE KEY-----\n"
}

  2. In each tenant environment where you want to install the certificate:

    1. Get an access token created with the fr:idc:certificate:* scope.

    2. Upload the certificate using the /environment/certificates endpoint:

      $ curl \
--request POST 'https://<tenant-env-fqdn>/environment/certificates' \(1)
--header 'Authorization: Bearer <access-token>' \(2)
--header 'Content-Type: application/json' \
--data "$(< payload.json)" (3)
      1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
      2 Replace <access-token> with the access token.
      3 The request body is populated with the output of payload.json.
      Show response 
      {
    "active": false, (1)
    "expireTime": "2024-06-01T15:14:54Z",
    "id": "ccrt-134425bc-6203-48fe-bbef-b17792faf972", (2)
    "issuer": "CN=Self-signing CA",
    "live": false, (3)
    "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d",
    "subjectAlternativeNames": [
        "support.pingidentity.com",
        "labs.pingidentity.com"
    ],
    "validFromTime": "2024-05-02T15:14:54Z"
}
      1 The active key is set to false, which indicates the certificate is not active. This is the default value for a new certificate.
      2 The certificate ID is represented by the id key. You need this ID to activate, deactivate, or delete the certificate. In this example, the certificate ID is ccrt-134425bc-6203-48fe-bbef-b17792faf972.
      3 The live key returns the value false, which indicates the certificate is not installed in the environment’s load balancer. In the next step, you will set the active key to true. This triggers an asynchronous process that installs the certificate in the environment’s load balancer. When the asynchronous process is complete, the live key returns the value true.

    3. Activate the certificate to install it in the environment’s load balancer.

List certificates

List certificates to view all certificates in a tenant environment. Certificates can be active (installed in the environment’s load balancer) or inactive (not installed in the environment’s load balancer). The list includes any certificates Backstage Support added to the environment.

In any tenant environment

  1. Get an access token created with the fr:idc:certificate:read scope.

  2. Get a list of certificates from the /environment/certificates endpoint:

    $ curl \
--request GET 'https://<tenant-env-fqdn>/environment/certificates' \(1)
--header 'Authorization: Bearer <access-token>' \(2)
--header 'Content-Type: application/json'
    1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
    2 Replace <access-token> with the access token.
    Show response 
    [
    {
        "active": false,
        "expireTime": "2024-06-01T15:14:54Z",
        "id": "ccrt-4ac300e5-7e0a-4d34-a42c-c41a076458da",
        "issuer": "CN=Self-signing CA",
        "live": false,
        "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d",
        "subjectAlternativeNames": [
            "support.pingidentity.com",
            "labs.pingidentity.com"
        ],
        "validFromTime": "2024-05-02T15:14:54Z"
    },
    {
        "active": false,
        "expireTime": "2024-06-02T12:58:01Z",
        "id": "ccrt-d7bad9b1-65fa-48ce-b56a-bd320a75d477",
        "issuer": "CN=Self-signing CA",
        "live": false,
        "subject": "CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,STREET=1001 17th Street,L=Denver,C=US,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d",
        "subjectAlternativeNames": [
            "support.pingidentity.com",
            "labs.pingidentity.com"
        ],
        "validFromTime": "2024-05-03T12:58:01Z"
    }
]

Activate a certificate

Activate a certificate to install it in a tenant environment’s load balancer. If you activate more than one certificate at once, the environment’s load balancer will serve the most appropriate for the requested hostname. This lets you rotate certificates by installing and activating a new certificate before an older certificate expires.

In any tenant environment:

  1. List the certificates in the environment and examine the response to find the ID of the certificate (represented as the JSON id key) you intend to activate.

  2. Get an access token created with the fr:idc:certificate:* scope.

  3. Update the certificate by patching the JSON active key to true:

    $ curl \
--request PATCH 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2)
--header 'Authorization: Bearer <access-token>' \(3)
--header 'Content-Type: application/json' \
--data '{"active": true}' (4)
    1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
    2 Replace <certificate-id> with the certificate ID you found in step 1.
    3 Replace <access-token> with the access token.
    4 The request body is set with a new value for the JSON active key (true).
    Show response 
    {
    "active": true,
    "expireTime": "2024-06-01T15:14:54Z",
    "id": "ccrt-134425bc-6203-48fe-bbef-b17792faf972",
    "issuer": "CN=Self-signing CA",
    "live": false,
    "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d",
    "subjectAlternativeNames": [
        "support.pingidentity.com",
        "labs.pingidentity.com"
    ],
    "validFromTime": "2024-05-02T15:14:54Z"
}

  4. An asynchronous process will automatically install the certificate in the environment’s load balancer. To check when the asynchronous process has completed, poll the /environment/certificates endpoint using the certificate ID until the live key in the response changes from false to true:

    $ curl \
--request GET 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2)
--header 'Authorization: Bearer <access-token>' \(3)
--header 'Content-Type: application/json'
    1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
    2 Replace <certificate-id> with the ID of the certificate you updated.
    3 Replace <access-token> with the access token.

    When the asynchronous process has completed and installed the certificate in the environment’s load balancer, the response should look like this:

    Show response 
    {
    "active": true,
    "expireTime": "2024-06-01T15:14:54Z",
    "id": "ccrt-134425bc-6203-48fe-bbef-b17792faf972",
    "issuer": "CN=Self-signing CA",
    "live": true,
    "subject": "SERIALNUMBER=3463471,CN=www.pingidentity.com,OU=IT,O=Ping Identity Corporation,POSTALCODE=80202,STREET=1001 17th Street,L=Denver,ST=Colorado,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.1=#130a57696c6d696e67746f6e,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.2.840.113549.1.9.1=#0c1d6578616d706c652e757365724070696e676964656e746974792e636f6d",
    "subjectAlternativeNames": [
        "support.pingidentity.com",
        "labs.pingidentity.com"
    ],
    "validFromTime": "2024-05-02T15:14:54Z"
}

Deactivate a certificate

Deactivate a certificate to uninstall it from a tenant environment’s load balancer. If you deactivate all certificates in an environment, the load balancer will fall back to using a Google-managed certificate.

To deactivate a certificate, follow the instructions in Activate a certificate with the following changes:

  • In step 3, patch the JSON active key to false.

  • In step 4, poll the /environment/certificates endpoint until the live key in the response changes from true to false.

Delete a certificate

Delete a certificate to permanently remove it from a tenant environment.

In any tenant environment:

  1. List the certificates in the environment and examine the response to find the ID of the certificate you intend to delete, represented by the id key.

  2. If you have not done so already, deactivate the certificate to uninstall it from the environment’s load balancer.

  3. Get an access token created with the fr:idc:certificate:* scope.

  4. Delete the certificate:

    $ curl \
--request DELETE 'https://<tenant-env-fqdn>/environment/certificates/<certificate-id>' \(1) (2)
--header 'Authorization: Bearer <access-token>' \(3)
--header 'Content-Type: application/json'
    1 Replace <tenant-env-fqdn> with the FQDN of your tenant environment.
    2 Replace <certificate-id> with the certificate ID you found in step 1.
    3 Replace <access-token> with the access token.

Create a custom CA certificate and a self-signed certificate

  1. Create a CSR and save it in a local file called csr.pem:

  2. Create a CA certificate and private key:

    1. Save the following OpenSSL configuration in a local file called openssl-req-ca.conf:

      [ req ] (1)
x509_extensions = x509_req_ext

[ x509_req_ext ]  (2)
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = critical, CA:true
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
      1 Configures the openssl req command.
      2 Configures the openssl req command when using the x509 flag to create a CA certificate.

    2. Generate a CA certificate and private key:

      $ openssl req \
-x509 -nodes -newkey rsa:2048 -sha256 -days 30 \
-out ca.cert.pem -keyout ca.key.pem \
-subj "/CN=Self-signing CA" \
-config openssl-req-ca.conf

    3. Review the CA certificate and private key, which are respectively in the local files ca.cert.pem and ca.key.pem:

  3. Create a signed certificate:

    1. Save the following OpenSSL configuration in a local file called openssl-req-sign.conf:

      [ req ] (1)
x509_extensions = x509_req_ext

[ x509_req_ext ]  (2)
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
keyUsage                = critical, digitalSignature
extendedKeyUsage        = serverAuth
      1 Configures the openssl req command.
      2 Configures the openssl req command when using the x509 flag to sign a CSR.

    2. Generate a signed certificate using the CSR, the CA certificate and private key, and the configuration in openssl-req-sign.conf:

      $ openssl req \
-x509 -nodes -sha256 -days 30 -copy_extensions copy \
-in csr.pem -out cert.pem -CA ca.cert.pem -CAkey ca.key.pem \
-config openssl-req-sign.conf

    3. Review the certificate, which is in the local file cert.pem:

Check a CSR

To check the information in a CSR, run this command:

$ openssl req -in <csr-filename> -noout -text (1)
1 Replace <csr-filename> with the name of the local file containing your CSR; for example, csr.pem.
Show response 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = www.pingidentity.com, O = Ping Identity Corporation, OU = IT, C = US, street = 1001 17th Street, L = Denver, ST = Colorado, postalCode = 80202, emailAddress = example.user@pingidentity.com, businessCategory = Private Organization, serialNumber = 3463471, jurisdictionC = US, jurisdictionL = Wilmington, jurisdictionST = Delaware (1)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:df:cf:53:47:8b:6a:51:23:0c:b9:8d:65:31:13:
                    26:6b:65:05:46:50:64:2c:97:4b:21:ac:72:99:54:
                    0c:d9:44:f1:74:c8:cd:55:09:67:7f:a2:f9:47:e5:
                    d4:fb:ec:fd:e9:c5:fd:77:30:30:79:f4:86:a3:c1:
                    72:2e:92:ca:74:93:44:65:4d:6f:b1:09:36:8d:b2:
                    c5:97:16:5e:d2:0d:49:42:91:93:da:01:02:9d:cf:
                    c4:af:99:1e:1f:80:f9:61:ab:60:14:25:d5:91:a9:
                    8f:f3:86:01:a1:33:95:10:6c:2a:60:19:6c:49:87:
                    4c:6f:f5:16:b0:54:2a:95:e1:32:c2:bd:3b:92:06:
                    3a:07:61:fa:01:72:3e:ca:02:e6:db:73:6a:4a:e7:
                    7a:ea:24:a7:75:a6:3c:ab:16:e2:c2:52:db:61:2f:
                    df:22:5d:b7:8b:67:31:4a:44:12:7e:94:af:b5:78:
                    31:97:09:68:da:07:28:71:61:a4:8b:6f:ce:27:70:
                    07:d5:12:58:cf:d1:4b:a9:a3:25:c9:a2:3d:08:5e:
                    1c:b3:b3:54:eb:93:90:55:65:01:0f:13:24:da:b3:
                    32:50:bf:d4:c3:71:8f:3b:82:25:11:e7:67:44:dd:
                    69:71:13:b3:6a:86:d2:a4:7f:25:01:c0:8f:71:96:
                    16:75
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: (2)
                    DNS:support.pingidentity.com, DNS:labs.pingidentity.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        ab:6d:a7:14:8a:07:6b:69:c8:f7:e9:1f:ca:d3:d4:6d:53:ad:
        4e:f7:91:aa:ec:1a:50:a3:08:0d:05:41:eb:17:ab:c0:30:d6:
        53:2c:24:2f:d3:20:e8:7a:ae:d6:f9:81:a0:d2:a5:ad:44:24:
        35:51:c1:d8:2c:f6:32:d5:9b:35:64:4a:d0:76:47:8f:1e:7e:
        7d:fe:67:66:fd:a9:f0:c4:d4:18:37:a5:7b:50:af:25:34:76:
        14:ac:ba:e7:5a:40:eb:ba:cd:16:09:59:71:e4:88:ab:43:fb:
        ff:a1:8d:ae:5f:cc:62:1d:46:19:28:0a:74:fe:e3:59:e9:63:
        42:65:db:ef:14:29:53:03:53:8d:17:5f:b2:dd:b9:9d:27:fe:
        11:ec:44:07:ef:27:6c:8a:18:63:6c:7c:a4:f4:bb:2e:ee:d5:
        ae:4a:79:80:e0:24:6b:db:01:c1:03:6f:c8:6b:8b:c9:72:46:
        51:3b:a9:00:7a:c6:fc:28:60:8b:13:88:4c:1d:21:f2:19:de:
        c0:a2:99:78:40:74:af:4f:c2:62:3b:6e:d0:9a:12:b1:7a:54:
        2c:42:38:d8:f4:27:be:6e:0e:7f:40:ee:54:81:e2:63:da:95:
        84:33:a5:48:61:dd:88:10:41:cc:d8:62:e9:3a:61:85:7d:06:
        55:04:19:ff
1 Check the subject contains the fields you entered for the CSR, particularly for EV certificates.
2 If you entered SANs for the CSR, check the SAN extension is present.

Check a certificate

To check the information in a certificate, run this command:

$ openssl x509 -in <certificate-filename> -text -noout (1)
1 Replace <certificate-filename> with the name of the local file containing your certificate; for example, cert.pem.
Show response 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Self-signing CA
        Validity
            Not Before: May  2 12:07:51 2024 GMT
            Not After : Jun  1 12:07:51 2024 GMT (1)
        Subject: CN = www.pingidentity.com, C = US, ST = Colorado, L = Denver, O = Ping Identity Corporation, OU = IT (2)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d0:52:11:d0:47:34:32:26:85:ae:c8:db:e1:59:
                    9c:88:07:e2:e1:08:65:6c:91:97:e4:e6:33:bb:4c:
                    24:ef:bd:c1:98:e7:c4:6b:6e:40:30:d5:ca:b8:f6:
                    d4:23:ae:4f:2a:e2:93:a3:dc:1b:76:dc:9f:ff:ad:
                    22:23:49:26:18:9e:90:f7:41:7c:7d:89:79:0b:ce:
                    b3:f6:e2:ce:e0:81:a6:d8:7a:e0:1a:5a:dd:7c:85:
                    ff:e8:5b:bc:e5:2a:0a:23:0e:69:cf:2b:fd:cf:7a:
                    d2:d8:5d:fa:61:7f:d5:ef:a0:9c:8a:6d:4c:74:6e:
                    98:36:38:3e:04:8e:f5:82:32:8c:5d:a8:f4:02:f3:
                    ad:54:f0:d9:11:8f:88:7f:0b:64:87:97:61:61:d9:
                    10:7f:54:53:49:e2:fd:90:e3:67:a2:b8:56:b4:7f:
                    4c:bc:d9:9c:33:96:8d:9a:c3:7c:85:58:47:02:38:
                    05:80:a6:e3:95:7c:4c:51:46:9f:d6:81:7e:56:12:
                    cf:35:be:01:57:15:65:f0:d4:9f:61:1f:ba:93:a5:
                    79:84:de:7a:ba:23:04:fa:9a:f4:99:16:60:0c:ef:
                    80:99:3c:fd:5d:af:09:8c:6e:02:2d:a8:02:01:bd:
                    b8:90:00:12:f8:c4:4c:a2:9c:71:e9:22:c4:89:19:
                    35:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                7B:1D:14:C9:3C:4A:67:37:A2:E5:BE:B5:30:19:BE:EF:E6:08:B3:D6
            X509v3 Authority Key Identifier:
                6E:41:13:8E:26:E4:B0:7E:63:ED:07:0C:4E:2D:CD:FA:66:28:20:21
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: (3)
                DNS:support.pingidentity.com, DNS:labs.pingidentity.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        22:60:ab:f8:13:cd:af:36:62:06:c5:fe:d4:eb:4f:7e:17:d1:
        c9:c9:82:56:97:8e:d5:f1:55:33:64:d2:4f:7f:ab:75:e0:28:
        61:35:56:59:ed:7a:a5:a6:6c:94:e7:3c:e1:c5:9c:1c:9e:43:
        24:cd:49:f5:b9:d5:0e:81:2b:c5:03:1f:30:36:a3:97:cf:b4:
        f4:a1:55:d0:5d:d8:47:de:cf:f2:df:b9:6c:ff:a1:37:f2:61:
        98:5f:a6:d1:d9:2c:c2:f3:50:71:51:6b:95:ec:d1:be:b3:f1:
        9a:04:29:ad:62:f4:f5:e5:a7:7b:89:d5:a7:4c:4a:e5:88:eb:
        d5:d9:3a:5f:9c:97:01:79:00:dc:76:05:e4:f6:3a:74:61:aa:
        27:53:60:25:73:39:fd:0c:9b:bf:8e:61:32:59:f8:f3:d7:92:
        e4:e8:ba:b3:63:8b:59:b0:e2:16:06:3a:43:0b:ec:00:f8:ad:
        4d:fb:81:50:83:f1:87:f0:2d:91:09:43:3a:03:a2:13:00:db:
        0c:3e:9d:e5:53:9d:ac:ad:87:de:1a:25:5e:2e:c0:7c:17:fe:
        21:61:94:01:d3:3b:96:e7:83:0b:a9:d1:c8:0d:fa:03:93:0a:
        67:c5:8d:dd:ad:68:c6:7a:1d:5c:a5:df:cd:0b:d9:de:83:0f:
        20:42:83:61
1 Check the expiry date.
2 Check the subject contains the fields you entered for the CSR, particularly for EV certificates.
3 If you entered SANs for the CSR, check the SAN extension is present.

PEM-formatted certificate examples

The contents of a PEM-formatted CSR, private key, and certificate should look something like these examples:

  • CSR example

  • Private key example

  • Certificate example

-----BEGIN CERTIFICATE REQUEST-----
MIIDTTCCAjUCAQAwgbcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQHEwZEZW52ZXIxGTAX
BgNVBAkTEDEwMDEgMTd0aCBTdHJlZXQxIjAgBgNVBAoTGVBpbmcgSWRlbnRpdHkg
Q29ycG9yYXRpb24xCzAJBgNVBAsTAklUMR0wGwYDVQQDExR3d3cucGluZ2lkZW50
aXR5LmNvbTEsMCoGCSqGSIb3DQEJARYdZXhhbXBsZS51c2VyQHBpbmdpZGVudGl0
eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtQMavyinYUbzz
uIWq5HtqNE4lkO1kV+JzoIxXY5Ytr/ooyy0m3Xb8SycNGeA+X4eDeBuOX1LUOuSl
sOJYyf4mbHKirgojMJ4oj1ysv4DK2GTJOcAnsqXo5Hd+ahOxD8SLvta8S6qYo2ME
VnujZC0ghVi6+9Q11xavcsCLf3LnBe0oYZ7qUEyyNnx4KjvOpDhy+UH9LHvt7Cur
fOCM0l2guX5+VuRVgkHWOtIi3lIF64a9JSpTFY3Z+ikLlGCXtkCtSdSRMiEITpcR
RBYQkCjivF7xzQ0jipL/CtT7no4LWhy72dS3oyuTNeTtyPu8Mbk4EicnVzQtO5iL
xBK+AMv7AgMBAAGgUDBOBgkqhkiG9w0BCQ4xQTA/MD0GA1UdEQEB/wQzMDGCGHN1
cHBvcnQucGluZ2lkZW50aXR5LmNvbYIVbGFicy5waW5naWRlbnRpdHkuY29tMA0G
CSqGSIb3DQEBCwUAA4IBAQBCxK33xB9UTZRJi9Bi02HA06plcrHVdYONuZOSadP+
PdHYV6BoUMvCznzH6uzYdS+aEKrmVa2r6/4CvafvdcxRqTa0dtMAuVJBltlXjmoX
/+xU4rKXwlX1Y+05ZE7waskv4wnTryfE2eNsloiiZazu2zNsnk5MQouJTrLxSH2u
a3eG9B2Xg8H7tSu8tFuaiwdV+YamjG5qDVU8NRhs1JtQg9OJtCG907WQsN+eUys4
vem0rmJ/vI9djVLe2953N1or/gqC2s/0ZnxdsxfXgp4ChYPoxmIA1BEh8MUREqk/
dSPgWeMMVFQwlmljkE+cvGl9L3f7aPgXtR6nxPS/oTSl
-----END CERTIFICATE REQUEST-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIdwl71gz4G1UCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECGBfrYt/Ot8sBIIEyB+W3xwf7sbl
XsiQdmnI2ls8ynL0tnULGA404TayGgQIC+bChUdjiw7+n1gaSSfZQAB/nhsOCiuK
Ry9UL6k0ZvjOEyI1l2XEbBswpazh1MKfaqvuCME60O98ntbo+isP/fHzg1JBDYul
/yDFVNj9P7nGRHLdBXU3W9/5hMDzLf5HZSsLi9U4Nfcbs/asbKasHYVm88Qm/I9H
f34YPrwRGYyQCltRKQvNA5z3f8A4GmrXBeED/Incdjf3pxmf+birvzCfK1WYOwgl
J7SfWWKSj55leHvDBmfJcE4TlNDBme+BQ2lUtZ6yvLBzts32EpjqCR2oLwN9h47E
BE8bJjOJ3vEzUWsUxJbi0vkue42fnxFf3n70HemfYO8grQVFP3H2YyBKRC0Dwp2R
xPLldQ6TRFZvTyCxGsAlpo+En9tQHFMaS3RvWp2mWEGqHf0CaSb0aBdt/clbNsPd
HCX5EAghTxZAjWNRTmkihsg6HYXF1uWU6x1h0sZm/xhEEUebdFXFwoYX7tvRFIxp
OJdH+avLp7x33Oyt0jMmaCuZl3uDBnpjzxJT9TwhwSgm/dWBT0b9PPYfB1oPuMwg
pFBi7K9SUxgBSI6ZSISxuf0juFIkIo12ghB6gO6mWoCLC1qSCd0oL3ajP4kWIKBE
a8GIA3EruvF+bQleoHIs7mwOVKkmct59eLJ9UxZzIo6eaAJFJBWBeLGsKB2VyW+p
Fa6lR/mMDH0Jaoh4zMj+K4WVNUXoUoDCe+ERnAqTp0z97bHZDQn0qAdrP79Nh/To
KoD02s0dJl7sOPDso958DE/nP5NmEo46boLFi4NHZDxTxq70zVn1VPfxsXIgfaNA
lbBQu/i+3hjDxoosYMYhIUUYz4X6RzJaC425DFBsW4l8nzEGOhXxlRE8w4G/NgNT
L3JpeKX6tyYYHlNSD2KeSmIb5qC8dqZB640KSH2V6Set1/4sOGMzGtuVa6DYVAic
XtVY8gRy9+os5nsLvI8M9V0j+F/aI3tJ3gjws2eA3cIrbQxCmezsiRG3dt110voc
MDYOdns8jDdi6ViOVQFOQwgo7ekMmnUWuOYavdJXwnyBdT7Prlr1bLFerf4pLfKN
orBgdL1cwyvFjiSi59wbh65zGBvkMbcvvYwo8hh0G3NaST2Q4arLPaZdvpncjVD6
Dr12KFWrsPecg4HtlRVkedlew1De/s+KtIc+dhphL45MF2l9rnOe83tL8qMQI6qE
Q0bYvEOcqkNm0zEWyQCE/m6MpjvvUqS14RBspeIKI4lwvcEJ4jUnPMlmlxJ8EHtn
TfP4xx+KQ7/rjgFUq06qkLu34g3cY+BBzxb1BLSr7kykezU8Dl0qtQFlGUlFQNcC
1AxyB2YV38LfL4wUEF4SvOxQjhmHXQu+L0OApf/wQlKNkbyFR3JfEI+WiW0sQJ3d
PQQnCWorwiWYQXlImY7Zsb30AJOzVB3oX1Pt5NbyK35wUTTWT4kv+giK2SrfJqa0
90PabaDl6/H1h5ushRqmyZibLFIJaoEzR8+82wllHgJwu8NX3N7+Tgx9yCNX4+3r
SNkZ4QZiyo+n2kwvt20lWDCRTLZVXQkaTjqwdr8QZsqOBcmbdLdxv2ctf+umsjAS
Rv8K9FiTy5DNswa1ZE3jYA==
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDvDCCAqSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9TZWxm
LXNpZ25pbmcgQ0EwHhcNMjQwNTAyMTIwNzUxWhcNMjQwNjAxMTIwNzUxWjCBgTEd
MBsGA1UEAwwUd3d3LnBpbmdpZGVudGl0eS5jb20xCzAJBgNVBAYTAlVTMREwDwYD
VQQIDAhDb2xvcmFkbzEPMA0GA1UEBwwGRGVudmVyMSIwIAYDVQQKDBlQaW5nIElk
ZW50aXR5IENvcnBvcmF0aW9uMQswCQYDVQQLDAJJVDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANBSEdBHNDImha7I2+FZnIgH4uEIZWyRl+TmM7tMJO+9
wZjnxGtuQDDVyrj21COuTyrik6PcG3bcn/+tIiNJJhiekPdBfH2JeQvOs/bizuCB
pth64Bpa3XyF/+hbvOUqCiMOac8r/c960thd+mF/1e+gnIptTHRumDY4PgSO9YIy
jF2o9ALzrVTw2RGPiH8LZIeXYWHZEH9UU0ni/ZDjZ6K4VrR/TLzZnDOWjZrDfIVY
RwI4BYCm45V8TFFGn9aBflYSzzW+AVcVZfDUn2EfupOleYTeerojBPqa9JkWYAzv
gJk8/V2vCYxuAi2oAgG9uJAAEvjETKKccekixIkZNT8CAwEAAaOBpDCBoTAdBgNV
HQ4EFgQUex0UyTxKZzei5b61MBm+7+YIs9YwHwYDVR0jBBgwFoAUbkETjibksH5j
7QcMTi3N+mYoICEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MDoGA1UdEQQzMDGCGHN1cHBvcnQucGluZ2lkZW50aXR5LmNvbYIVbGFicy5waW5n
aWRlbnRpdHkuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAiYKv4E82vNmIGxf7U609+
F9HJyYJWl47V8VUzZNJPf6t14ChhNVZZ7XqlpmyU5zzhxZwcnkMkzUn1udUOgSvF
Ax8wNqOXz7T0oVXQXdhH3s/y37ls/6E38mGYX6bR2SzC81BxUWuV7NG+s/GaBCmt
YvT15ad7idWnTErliOvV2TpfnJcBeQDcdgXk9jp0YaonU2Alczn9DJu/jmEyWfjz
15Lk6LqzY4tZsOIWBjpDC+wA+K1N+4FQg/GH8C2RCUM6A6ITANsMPp3lU52srYfe
GiVeLsB8F/4hYZQB0zuW54MLqdHIDfoDkwpnxY3drWjGeh1cpd/NC9negw8gQoNh
-----END CERTIFICATE-----