Skip to end of metadata
Go to start of metadata

Lets see a use case of implementing federated access to Salesforce using OpenIAM. When configuring federation, you need to provide Identity Provider certificate in the Salesforce security configuration module. This topic will guide you though the steps of creating the necessary RSA certificate and public/private keys for

You need to generate the set of public and private keys and an X.509 certificate that contains the public key. Once you have a public key or certificate, you would then need to register it with


Although there are many methods for creating public and private key pairs, the open-source OpenSSL tool is one of the most popular. It has been ported to all major platforms and provides a simple command-line interface for key generation. There are certainly many more ways to generate the keys and certificate you need.

As the result, you will have the following:

  • rsacert.pem is the public key.  
  • rsaprivkey.der is the private key.


While generating the private key and certificate request In Windows, you should replace the openssl command with the full path to binary, for example, C:\OpenSSL\bin\openssl.

  1. Fulfill the following command to generate a PEM-encoded private key and stores it in the rsaprivkey.pem file:

    This example creates a 1024-bit key. The resulting private key should be kept secret and is used to sign and decrypt data.

  2. Run the following command to generate the public key in DER format:

  3. Generate the private key in pkcs8 and DER format by running the following:

    Once you have your key pair, create an X.509 certificate. The certificate holds the corresponding public key, along with some metadata relating to the organization that created the certificate. Use this command to create a self-signed certificate from either an RSA or DSA private key:


    You can add the "-days 365" flag to the last step in order to make the cert valid for a year (default is 30 days).

    After you answer a number of questions, the certificate will be created and saved as dsacert.pem. This is the file you upload to

More Information


  • No labels