HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication

Official Content

GAM SAML 2.0 Authentication type requires some configuration steps regarding the creation of certificates and the setup of the servlet's server in same cases (using Java generator). This document explains in detail the steps that should be considered.

This is useful in completing the Credentials tab information of GAM SAML 2.0 Authentication type configuration.

First, note that, for testing purposes, you will not need a valid CA certificate. A a self-signed certificate will do.

How to generate a pair of keys using openssl

openssl req -newkey rsa:2048 -keyout key.pem -x509 -days 365 -out certificate.pem

As a result, you'll have key.pem containg the private key, and certificate.pem containing the public key.

For Agesic, you have to change the format of the file containing the public key, and turn it into a .crt file (the certificate to be sent to Agesic):

openssl x509 -outform der -in certificate.pem -out certificate.crt


For Agesic, the certificate used to sign the request (of the Service Provider to the Identity Provider) should have the following characteristics:

  • RSA
  • 2048 key length
  • SHA256 algorithm
  • No flags

Request Credentials 

You will need to change the format of the file containing the private key and turn it into a .pfx file, in order to have it referenced in the Key Store Path property of the Request Credentials section of GAM SAML 2.0 Authentication type configuration. Use the same password used to define the certificate in the step described above.

openssl pkcs12 -export -in certificate.pem -inkey key.pem -out certificate.pkcs12

Response Credentials

For configuring the Response Credentials section of GAM SAML 2.0 Authentication type, bear in mind that you must create a Keystore using the Agesic-Coesys-Testing.cer file provided by Agesic.

cd c:\Program Files\Java\jdk1.8.0_20\jre\bin
keytool -importcert -trustcacerts -noprompt -storepass changeit -alias 1 -file c:\temp\Agesic-Coesys-Testing.cer
openssl pkcs12 -export -in certificate.pem -inkey key.pem > server.p12
keytool -importkeystore -srckeystore C:\temp\server.p12 -destkeystore server.jks -srcstoretype pkcs12

As a result, you'll have a .pks file that must be referenced under the Trust Store Path property of the Response Credentials configuration.


You can use openssl to generate a pair of keys as explained above.

For the Request credentials, take a look at the section Request credentials in this document, for it must be considered for both SAP and Agesic.

Response Credentials

You must convert the certificate provided by SAP to read the response into X509 format. To such end, you may use samlTool.

Then save the result to a .pem file.

Afterwards, execute the following:

cd C:\Program Files\Java\jdk1.8.0_162\bin
keytool -import -file C:\cert\sapkey.pem -keystore C:\cert\sapkeystore.jks

You may generate a new alias by executing:

-alias newAlias



In .NET you can not use a Java KeyStore.

Additional Information

Certificates and encodings