How to create a self-signed x509 certificate with both private and public keys?

Question

I am creating an SSO "proof of concept" using SAML2 and ADFS2 (IdP). Log In is working fine, however ADFS2 is requiring that my Logout request be signed (with a private key) and then I would imagine that I would then add that very same certificate (.cer file) under the Signature tab within my Relying Party Trusts in ADFS2. The only problem is that I don't have a certificate for my app (service provider). I understand that I can create a self-signed cert for this purpose but I can't seem to figure out how to create one with everything I need.

Answer 1

In order to generate a self-signed cert you need openssl library so:

Debian: apt-get install openssl

Centos/RedHat: yum install openssl

Then follow this 3 steps:

• Generate private key:

  openssl genrsa -out server.pem 2048

• Generate CSR: (In the "Common Name" set the domain of your service provider app)

  openssl req -new -key server.pem -out server.csr

• Generate Self Signed Cert

  openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

At the end of the process you will get server.csr (certificate signing request), server.pem (private key) and server.crt (self signed cert)

In windows you can use makecert.exe

Answer 2

I used the SelfSSL tool for Windows when putting together an ADFS proof of concept. Specifically, this guy has an enhanced version for IIS7.

A sample command:

selfssl7.exe /N cn=www.example.com /K 2048 /V 3652 /X /F C:\example.pfx /W foo

Generates "example.pfx" file with a 2048-bit key, valid for ~10 years, with password "foo" protecting the private key, with common name "www.example.com". You can import this to your local machine's certificate store and then export it as a .cer file with or without the private key info as desired.