Set Up SSL Keys for SAML 2.0
To use Hub as the Identity Provider with SAML, you must encrypt the connection between Hub and a Service Provider. You need to generate an SSL key and a certificate, pack them in a PKCS #12 format file, and upload it to Hub.
There are several tools that let you create SSL keys and certificates in PKCS #12 format. We describe how to create SSL keystore with the OpenSSL toolkit.
To create an SSL keystore with OpenSSL:
Generate a new 2048 bit RSA key with password protection:openssl genrsa -des3 -out Hub_SAML.key 2048
Generate a certificate request for the generated key:openssl req -new -key Hub_SAML.key -out Hub_SAML.csr
Generate a certificate:openssl x509 -req -days 365 -in Hub_SAML.csr -signkey Hub_SAML.key -out Hub_SAML.crt
Package the key and the certificate in a PKCS #12 file:openssl pkcs12 -export -out Hub_SAML.p12 -inkey Hub_SAML.key -in Hub_SAML.crt -certfile Hub_SAML.crt
You have a PKCS #12 keystore (
Hub_SAML.p12in the example) that is ready for upload to Hub.
To import the PKCS #12 keystore to Hub:
In the Server Settings section of the Administration menu, select .
Click the Import keystore button.
Select the created
.p12key file, provide the password, and upload the keystore to Hub.
In the Access Management section of the Administration menu, select .
Select the key in the SSL Key drop-down list on the Settings tab.
Hub encrypts the connection with SAML Service Providers using the selected SSL key. Hub also extracts and displays the SHA-256, SHA-1, and MD-5 Fingerprints of the certificate that is packed into the selected keystore.
A service provider may require any of these fingerprints to enable and configure SAML2.0 on its side.