Generating an SSO self signed certificate for ConnectALL
Article ID: 390466
Updated On:
Products
Issue/Introduction
This article outlines steps to generate a key along with some common pitfalls.
This article is intended as a supplement for the documentation at this location: https://techdocs.broadcom.com/us/en/ca-enterprise-software/valueops/connectall/3-7/administration/configuring-user-roles/saml-configuration.html
Resolution
In order to complete these steps it will be necessary to install a Java Developer Kit (JDK). You may use OpenJDK or Oracle JDK. Please refer to documentation for your operating system to install the required dependencies.
Additionally, it is not necessary to perform these steps on the ConnectALL server, however you will need to transfer the p12 file to the ConnectALL server prior to importing it into the SAML keystore.
Values highlighted in yellow in this document are values you may need to change for your environment.
The first step is to generate your private key and certificate. Set the -days parameter to something appropriate for your company. The example uses 365 days or 1 year.
$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Sample output:
.......+.....+................+...+..+....++++++++++++++++++...........++++++++++++++++++++++++++++++++++++*.+..+.+..+...+....+........+....+...+..+.+...+.....+....+...+...+++............+..+...+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+....+......+.....+...+.......+........+...+....+...+...+........+.......+...+...........+.............+...+.................+.+.....+.+......+.....+....+++..+......+....+...........+.......+.....+.......+...+........+....+...+...+.........+...+.....+......+......+...+.+..+...+....+........+.........+......+...+....+..+.+............+.......................+..........+..+......+.........+.+.....+.+......+............+..+.........+.........+...+....+.....+....+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...............+...+..+...+......+..........+.....+......++++++++++++++++..................+++++++++++++++++++++++++++++++*......+......+..+...++++++++++++++++++++++++++...++++++++++++++++++++++++++++++++++++*.+.+..............+...+..........+.....+......+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Colorado
Locality Name (eg, city) [Default City]:Denver
Organization Name (eg, company) [Default Company Ltd]:Broadcom
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:connectall.example.com
Email Address []:[email protected]
This will generate two files; key.pem and certificate.pem. It will be necessary to combine these two files into a .p12 file. The following command will perform that action. Enter a password and note it as you will be required to enter it later:
$ openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -name connectall
Sample output:
Enter Export Password: ######
Verifying - Enter Export Password: ######
Next step is to import the p12 file into your SAML keystore. By default, your SAML keystore is in <CONNECTALL_HOME>/UI/tomcat/conf/ConnectAll/saml/security
$ sudo keytool -importkeystore -destkeystore /opt/ConnectALL/UI/tomcat/conf/ConnectAll/saml/securitysamlKeystore.jks -srckeystore certificate.p12 -srcstoretype pkcs12 -alias connectall
Sample output:
Importing keystore certificate.p12 to /opt/ConnectALL/UI/tomcat/conf/ConnectAll/saml/securitysamlKeystore.jks...
Enter destination keystore password: ######
Re-enter new password: ######
Enter source keystore password: ######
At this point you will want to verify that your p12 file was successfully imported into the SAML keystore with the following command:
# keytool -list -v -keystore /opt/ConnectALL/UI/tomcat/conf/ConnectAll/saml/securitysamlKeystore.jks
Sample output:
Enter keystore password: ######
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: connectall
Creation date: Mar 11, 2025
[...]
The presence of the Alias name "connectall" confirms that the certificate was imported successfully.
Additional Information
Alias does not exist
A frequently encountered error when trying to import the p12 file is the following:
keytool error: java.lang.Exception: Alias <connectall> does not exist
This indicates that your p12 file was not created with an alias of "connectall". This can be a common problem if someone else generated the p12 file on your behalf.
In order to determine the alias in the p12 file, you can run the following command on the p12 file:
$ keytool -list -v -keystore yourfilename.p12
Sample output:
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
[...]
In this case, the p12 file was created with an alias of 1, which is common if no name was specified during the process of combining the key and certificate.
To resolve this, run the following command to rename the alias:
$ keytool -changealias -keystore yourfilename.p12 -alias 1 -destalias connectall
Now it will be possible to import the p12 file into your SAML keystore as indicated above
Feedback
