[SalesForce] Create self-signed x509 certificate

I am trying to get an access token by following the guide OAuth 2.0 JWT Bearer Token Flow. But I am stuck on the following

The developer writes an app that generates a JWT. The JWT is signed with the X509 Certificate’s private key, and the connected app uses the certificate to verify the signature.

I know you can create a self-signed cert through salesforce but that never gives you a private key.

How do you create a self signed x509 certificate that you can upload to salesforce and use with your connected app?

Best Answer

You use OpenSSL for that. On Linux/macOS, a script like this will generate multiple certificates, if you need them (for multiple environments in a CI/CD context, for example).

if [ -z "$1" ]
    then
        echo "Missing #1 argument (password)."
        exit 1
fi

echo "This script will output multiple certificates (canary, uat and production)."
echo "Country Name (2 letter code) []: "
read COUNTRY
echo "State or Province Name (full name) []: "
read STATE_PROVINCE
echo "Locality Name (eg, city) []: "
read LOCALITY
echo "Organization Name (eg, company) []: "
read ORG_NAME
echo "Organizational Unit Name (eg, section) []: "
read ORG_UNIT_NAME
echo "Common Name (eg, fully qualified host name) []: "
read COMMON_NAME
echo "Email Address []: "
read EMAIL

PASSWORD=$1

function generate () {

    mkdir assets
    mkdir assets/certificates

    # edit this line with all the targets you need 
    # (if you need more than one certificate, that is)
    # if you don't need more than one, then just follow the commands
    # inside this loop to generate your certificate
    for CERT_TARGET in "canary" "uat" "production"
    do
        # Generate a private key, and store it in a file called server.key.
        openssl genrsa -des3 -passout pass:x -out assets/"$CERT_TARGET"_server.pass.key 2048
        openssl rsa -passin pass:x -in assets/"$CERT_TARGET"_server.pass.key -out assets/"$CERT_TARGET"_server.key

        # Generate a certificate signing request using the server.key file. Store the
        # certificate signing request in a file called server.csr. Enter information
        # about your company when prompted.
        openssl req -new -key assets/"$CERT_TARGET"_server.key -out assets/"$CERT_TARGET"_server.csr -subj "/C=$COUNTRY/ST=$STATE_PROVINCE/L=$LOCALITY/O=$ORG_NAME/OU=$ORG_UNIT_NAME/CN=$COMMON_NAME/emailAddress=$EMAIL"

        # Generate a self-signed digital certificate from the server.key and server.csr
        # files. Store the certificate in a file called server.crt.
        openssl x509 -req -sha256 -days 730 -in assets/"$CERT_TARGET"_server.csr -signkey assets/"$CERT_TARGET"_server.key -out assets/"$CERT_TARGET"_server.crt

        # Encrypt the server private key
        openssl aes-256-cbc -k $PASSWORD -in assets/"$CERT_TARGET"_server.key -out assets/certificates/"$CERT_TARGET"_server.key.enc -e -md sha256
    done
}

generate

Of course, the downside of this sample script is that all certificates will be generated with the same password (and that's not good). Take that into consideration if you use it.

Search for the equivalent commands on Windows.

Related Topic