1

I am trying to generate a private/public key pair in X.509 format along with a self signed cert which I need to use for my SAML application.

Here is what I have done:

  1. Generate Self Signed Cert and Private Key from here and save them in .pem format.
  2. Use the private key and generate a public key with the command openssl rsa -in key.pem -pubout -out pubkey.pem

When I give these keys to my SAML application, it errors out on the public key generated on step 2 with the following message:

java.io.IOException: Short read of DER length

What's that I am doing wrong here?

Killer Beast
  • 469
  • 6
  • 21
  • You can just generate a key pair via keytool or openssl, you do not need the saml tools. The public key is enclosed in the certificate, which is more or less the public key singed with the private key of the issuing party. – Bernhard Thalmayr Sep 27 '19 at 21:27

1 Answers1

3

Question:

I am trying to generate a private/public key pair in X.509 format along with a self signed cert which I need to use for my SAML application.

Answer:

(1) On Ubuntu 22.04, I run the following native openssl command to generate a private/public key pair in X.509 format for a Shibboleth SAML SP application successfully.

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out certreq.csr -days 365
openssl x509 -req -in certreq.csr -signkey key.pem -out cert.pem

(2) I upload the generated public cert/key (i.e., cert.pem) of the Shibboleth SAML SP application to a Shibboleth SAML IdP.

(3) I log in to the Shibboleth SAML SP application successfully through the authentication provided by Shibboleth SAML IdP and OpenLDAP.

Remark:

(I) Please ensure that the IdP or SP database defines sufficient length for Type which is used to store public cert/key or private key, e.g., varchar(2500).

(II) If you run the openssl command under Windows environment, please check my answer for another StackOverflow question Git status ignore line endings / identical files / windows & linux environment / dropbox / mled to remove "premature EOF" from the end of private key and public cert/key.

(III) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provide an instruction on how to build and run a Shibboleth SAML IdP and SAML SP testbed to test your SAML SP application.

The standalone Shibboleth SAML IdP testbed allows you to check the log to debug your certificate issue.

winstonhong
  • 1,214
  • 8
  • 8
  • thanks for the tip, with your above command I generate the keys/cert and this time it errors in the private key saying : `java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : Detect premature EOF`. This time however, the public key works fine – Killer Beast Sep 28 '19 at 05:37
  • If you run the openssl command under Windows environment, please check my answer for another StackOverflow question [Git status ignore line endings / identical files / windows & linux environment / dropbox / mled](https://stackoverflow.com/questions/20496084/git-status-ignore-line-endings-identical-files-windows-linux-environment/49324186#49324186) to remove "premature EOF" from the end of private key and public cert/key. – winstonhong Sep 30 '19 at 13:01
  • Please ensure that the IdP or SP database defines sufficient length for Type which is used to store public cert/key or private key, e.g., varchar(2500). I have updated my answer to include two potential solutions for "premature EOF". – winstonhong Sep 30 '19 at 13:28
  • I have updated openssl command to solve the new issue "this time it errors in the private key saying : java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : Detect premature EOF". New openssl command remove pass phrase so that your SAML SP does NOT need to configure pass phrase to decrypt the private key. – winstonhong Sep 30 '19 at 16:32
  • These commands are wrong. openssl genrsa does not support a `-days` switch – Appleoddity Mar 27 '23 at 16:59
  • 1
    @Appleoddity Thank you very much for testing the command. I tested the command on Ubuntu 16.04 which has been removed from my workstation due to expired LTS. I test the command on the latest LTS Ubuntu 22.04 and validate your comment. Then I update my answer based on Ubuntu 22.04. Thank you very much for your valuable comment. – winstonhong Mar 28 '23 at 18:25