Announcements‎ > ‎

Generate Private Key and then a Certificate

posted Oct 2, 2015, 5:45 AM by Kevin Melillo   [ updated Oct 2, 2015, 11:00 AM ]
I recently ran into an issue with a customer involving Google Apps and SSO.  This customer had nobody on staff that knew about certificates.  Usually we leave this in the hands of the customer, but in this case, they did not know how to start.  I also was in the dark on this, as we had never had to provide this information to customers in the past.  

I started researching on Google, and I was able to put together a bit of information.  I am not sure if this is correct, or complete, but here is what I have found.

Creating the Private Key  
In order to start this whole process, you need to generate a private key.  Google offers a small bit of documentation around this, and I wanted to start there, because the whole process began because we are implementing an SSO solution for Google Apps.  So I looked at the few options they had, linux command-line, java based key generation, or using a third party purchased certificate.  The choice for me was an easy one...  I did not want to PAY anything to learn about this, so the purchased option was OUT.  I knew next to nothing about JAVA and did not want or need to install a complicated IDE just to test out creating private\public keys...  I had recently just installed a linux virtual machine.  I also have a bit of background knowledge of linux, so even if I didn't have the proper tools installed, I believed I could get them pretty quickly and easily.  I booted up my linux VM, dropped to command line, and checked if I had openssl installed.  BINGO!  It was there.  

The next step was to generate a private key.  I did this by following the simple instructions that Google has laid out for this.

openssl genrsa -out my_private.key 1024

I had my private key!  I opened the key in a text editor, and saw that it was a long randomly generated string of letters and numbers with a header and a footer that marked it as a private key.  Step one...  COMPLETE.

Creating the x509 Certificate  
Google requires that you either upload a Public Key, or an x509 Certificate.  Since they provide simple instructions on how to create an x509 Certificate from a Private Key I chose to test out this method.  

openssl req -x509 -new -nodes -key my_private.key -days 365 -out my.crt

I now had a certificate file that I believed I could use.  I opened the certificate in a text editor, and saw that it was a long randomly generated string of letters and numbers with a header and a footer that marked it as a certificate.  Step two...  COMPLETE.

Comparing the Two  
The problem our current customer is having is that the logs show that the private key they are using along with the public certificate does not match.  So I needed a way to test to see if the two values generated in the above steps matched.  I did a few google searches, and came back with the following results.

openssl x509 -noout -modulus -in my.crt | openssl md5
openssl rsa -noout -modulus -in my_private.key | openssl md5

The commands will return the md5 hash of both the certificate, and then the private key.  I was able to verify that these hashes did match.  Step three...  COMPLETE.

With the above procedure I was able to generate a private key, create a certificate from that key, and verify that the private key and certificate matched up.  I was ready to move on, and upload the certificate to Google, and install the private key to whatever SSO solution would be implemented.