2

I am trying to get an access token by following the guide OAuth 2.0 JWT Bearer Token Flow. But I am stuck on the following

The developer writes an app that generates a JWT. The JWT is signed with the X509 Certificate’s private key, and the connected app uses the certificate to verify the signature.

I know you can create a self-signed cert through salesforce but that never gives you a private key.

How do you create a self signed x509 certificate that you can upload to salesforce and use with your connected app?

Improve this question
4
  • From help.salesforce.com/…: You can export all your certificates and private keys into a keystore for storage or import certificates and keys from a keystore Commented Jun 3, 2019 at 20:02
  • @identigral and once you export how you get the values, do you need an special program to open the downloaded file? Commented Oct 24, 2022 at 5:00
  • @manza keystore-explorer.org Commented Oct 24, 2022 at 5:40
  • @identigral yeah I downloaded the program, i exported from certficate the file .jks and open it in the app. I can see all the certificates in there but to export the private key, I need that to generate the JWT token Commented Oct 24, 2022 at 5:49

1 Answer 1

Reset to default
3

You use OpenSSL for that. On Linux/macOS, a script like this will generate multiple certificates, if you need them (for multiple environments in a CI/CD context, for example).

if [ -z "$1" ] then echo "Missing #1 argument (password)." exit 1 fi echo "This script will output multiple certificates (canary, uat and production)." echo "Country Name (2 letter code) []: " read COUNTRY echo "State or Province Name (full name) []: " read STATE_PROVINCE echo "Locality Name (eg, city) []: " read LOCALITY echo "Organization Name (eg, company) []: " read ORG_NAME echo "Organizational Unit Name (eg, section) []: " read ORG_UNIT_NAME echo "Common Name (eg, fully qualified host name) []: " read COMMON_NAME echo "Email Address []: " read EMAIL PASSWORD=$1 function generate () { mkdir assets mkdir assets/certificates # edit this line with all the targets you need # (if you need more than one certificate, that is) # if you don't need more than one, then just follow the commands # inside this loop to generate your certificate for CERT_TARGET in "canary" "uat" "production" do # Generate a private key, and store it in a file called server.key. openssl genrsa -des3 -passout pass:x -out assets/"$CERT_TARGET"_server.pass.key 2048 openssl rsa -passin pass:x -in assets/"$CERT_TARGET"_server.pass.key -out assets/"$CERT_TARGET"_server.key # Generate a certificate signing request using the server.key file. Store the # certificate signing request in a file called server.csr. Enter information # about your company when prompted. openssl req -new -key assets/"$CERT_TARGET"_server.key -out assets/"$CERT_TARGET"_server.csr -subj "/C=$COUNTRY/ST=$STATE_PROVINCE/L=$LOCALITY/O=$ORG_NAME/OU=$ORG_UNIT_NAME/CN=$COMMON_NAME/emailAddress=$EMAIL" # Generate a self-signed digital certificate from the server.key and server.csr # files. Store the certificate in a file called server.crt. openssl x509 -req -sha256 -days 730 -in assets/"$CERT_TARGET"_server.csr -signkey assets/"$CERT_TARGET"_server.key -out assets/"$CERT_TARGET"_server.crt # Encrypt the server private key openssl aes-256-cbc -k $PASSWORD -in assets/"$CERT_TARGET"_server.key -out assets/certificates/"$CERT_TARGET"_server.key.enc -e -md sha256 done } generate

Of course, the downside of this sample script is that all certificates will be generated with the same password (and that's not good). Take that into consideration if you use it.

Search for the equivalent commands on Windows.

Improve this answer
1
  • Generating a cert with openssl definitely helped, thanks. Commented Jun 3, 2019 at 21:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.