When using a certificate to sign OAuth requests, the private key of a certificate is used to generate a signature, which must be included with each request. The public key embedded in the certificate is used by web sign-on to verify the signature. The public key must be a 1024-bit RSA key encoded in an X.509 certificate in PEM format, and must be sent to us at time of registration.
The following sections provide examples of how to generate keys and certificates using two particular tools: the
OpenSSL utility and Java's
These examples are not specific to Warwick APIs; you can use the same utilities to generate keys for any purpose.
The examples assume that your company is named My_Company, and is located in Coventry, UK, with domain name example.com.
Generating keys using OpenSSL
To create a pair of RSA keys and the corresponding certificate, you could use the following command:
# Generate the RSA keys and certificate openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj \ '/C=GB/ST=West Midlands/L=Coventry/CN=www.example.com' -keyout \ myrsakey.pem -out /tmp/myrsacert.pem
-sha1 parameter specifies that the key will be used to generate SHA1 signatures.
-subj parameter specifies the identity of the application that the certificate represents.
-keyout parameter specifies the file that will contain the keys. This file contains sensitive information and should be protected and not shared with anyone.
-out parameter specifies the file that will contain the certificate in PEM format (which should be sent to us while registering).
Generating keys for the Java client
The Java client accepts private keys in the PKCS#8 format. After generating a key/cert using the directions above, create a .pk8 file from your generated .pem file:
openssl pkcs8 -in myrsakey.pem -topk8 -nocrypt -out myrsakey.pk8
Alternatively, you can use the Java key store and the keytool utility to create a pair of RSA keys and the corresponding certificate. Use the following command:
# Generate the RSA keys and certificate keytool -genkey -v -alias Example -keystore ./Example.jks\ -keyalg RSA -sigalg SHA1withRSA\ -dname "CN=www.example.com, OU=Engineering, O=My_Company, L=Coventry, ST=West Midlands, C=GB"\ -storepass changeme -keypass changeme
-dname parameter specifies the identity of the application that the certificate represents. The
-storepass parameter specifies the password to protect the keystore. The
-keypass parameter specifies the password to protect the private key.
To write the certificate to a file that can be used to submit for registration, use the following command:
# Output the public certificate to a file keytool -export -rfc -keystore ./Example.jks -storepass changeme \ -alias Example -file mycert.pem