HowTo: Generate certificates for authentication using SAML 2.0 GAM Authentication

Official Content
This documentation is valid for:

SAML 2.0 Authentication type requires some configuration steps regarding the creation of certificates and the setup of the servlet's server in some cases (using Java generator). This document explains in detail the steps that should be considered.

This is useful for completing the Credentials tab information of SAML 2.0 Authentication type configuration.

First, note that, for testing purposes, you will not need a valid CA certificate. A self-signed certificate will do.

How to generate a key pair using OpenSSL

openssl req -newkey rsa:2048 -keyout key.pem -x509 -days 365 -out certificate.pem

As a result, you'll have key.pem containing the private key, and certificate.pem containing the public key.

For Agesic, you have to change the format of the file containing the public key, and turn it into a .crt file (the certificate to be sent to Agesic):

openssl x509 -outform der -in certificate.pem -out certificate.crt


For Agesic, the certificate used to sign the request (of the Service Provider to the Identity Provider) should have the following characteristics:

  • RSA
  • 2048 key length
  • SHA256 algorithm
  • No flags

Request Credentials 

You will need to change the format of the file containing the private key and turn it into a .pfx file in order to have it referenced in the Key Store Path property of the Request Credentials section of SAML 2.0 Authentication type configuration. Use the same password used to define the certificate in the step described above.

openssl pkcs12 -export -in certificate.pem -inkey key.pem -out certificate.pkcs12

Response Credentials

For configuring the Response Credentials section of SAML 2.0 Authentication type, bear in mind that you must create a Keystore using the Agesic-Coesys-Testing.cer file provided by Agesic.

cd c:\Program Files\Java\jdk1.8.0_20\jre\bin
keytool -importcert -trustcacerts -noprompt -storepass changeit -alias 1 -file c:\temp\Agesic-Coesys-Testing.cer
openssl pkcs12 -export -in certificate.pem -inkey key.pem > server.p12
keytool -importkeystore -srckeystore C:\temp\server.p12 -destkeystore server.jks -srcstoretype pkcs12

As a result, you'll have a .pks file that must be referenced under the Trust Store Path property of the Response Credentials configuration.


You can use OpenSSL to generate a key pair as explained above.

To Request credentials, take a look at the credentials request section in this document, as it must be considered for both SAP and Agesic.

Response Credentials

You must convert the certificate provided by SAP to read the response in X509 format. To this end, you may use samlTool.

Then save the result to a .pem file.

Afterwards, execute the following:

cd C:\Program Files\Java\jdk1.8.0_162\bin
keytool -import -file C:\cert\sapkey.pem -keystore C:\cert\sapkeystore.jks

You may generate a new alias by executing:

-alias newAlias


You can use a keytool to generate a keyresponse.jks as explained above. Download Java JDK from here.

Response Credentials

First, download the certificate provided by OKTA and then convert it to a keyresponse.jks.


In a command line, go to the folder where you have the keytool app.

cd C:\Program Files\Java\jdk-\bin

Note: This is the standard location; yours could look different depending on your installation.

When you are there, execute the following:

keytool -importcert -trustcacerts -file C:\...\okta.cert -alias alias -keystore keystoreresponse.jks 

Note: The path of your okta.cert that you enter in -file depends on where your certificate is placed. The -alias and -keystore are up to the developer.

After that, a file.jks will be created in the current directory.


In .NET you cannot use a Java KeyStore.

Additional Information

Certificates and encodings