Information on RSA-SHA1 certificates
When using a certificate to sign OAuth requests, the private key of a certificate is used to generate a signature, which must be included with each request. The public key embedded in the certificate is used by web sign-on to verify the signature. The public key must be a 1024-bit RSA key encoded in an X.509 certificate in PEM format, and must be sent to us at time of registration.
The following sections provide examples of how to generate keys and certificates using two particular tools: the OpenSSL
utility and Java's keytool
utility.
These examples are not specific to Warwick APIs; you can use the same utilities to generate keys for any purpose.
The examples assume that your company is named My_Company, and is located in Coventry, UK, with domain name example.com.
Generating keys using OpenSSL
To create a pair of RSA keys and the corresponding certificate, you could use the following command:
# Generate the RSA keys and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj \
'/C=GB/ST=West Midlands/L=Coventry/CN=www.example.com' -keyout \
myrsakey.pem -out /tmp/myrsacert.pem
The -sha1
parameter specifies that the key will be used to generate SHA1 signatures.
The -subj
parameter specifies the identity of the application that the certificate represents.
The -keyout
parameter specifies the file that will contain the keys. This file contains sensitive information and should be protected and not shared with anyone.
The -out
parameter specifies the file that will contain the certificate in PEM format (which should be sent to us while registering).
Generating keys for the Java client
The Java client accepts private keys in the PKCS#8 format. After generating a key/cert using the directions above, create a .pk8 file from your generated .pem file:
openssl pkcs8 -in myrsakey.pem -topk8 -nocrypt -out myrsakey.pk8
Alternatively, you can use the Java key store and the keytool utility to create a pair of RSA keys and the corresponding certificate. Use the following command:
# Generate the RSA keys and certificate
keytool -genkey -v -alias Example -keystore ./Example.jks\
-keyalg RSA -sigalg SHA1withRSA\
-dname "CN=www.example.com, OU=Engineering, O=My_Company, L=Coventry, ST=West Midlands, C=GB"\
-storepass changeme -keypass changeme
The -dname
parameter specifies the identity of the application that the certificate represents. The -storepass
parameter specifies the password to protect the keystore. The -keypass
parameter specifies the password to protect the private key.
To write the certificate to a file that can be used to submit for registration, use the following command:
# Output the public certificate to a file
keytool -export -rfc -keystore ./Example.jks -storepass changeme \
-alias Example -file mycert.pem