Signing Certificates
For each domain in SKFS, a Root Certificate Authority (Root CA) is generated to issue certificates for 'N' number of SSO signing keys for each use case (SAML & JWT), resembling a 2-tier PKI hierarchy. The SKFS Policy JSON object contains the subject Distinguished Names (DNs) of the desired signing keys for use within the SKFS.
The subject DN value in the "subjectdn" key for each JSON object representing an SSO signing key should be using the format defined in RFC 2253. This DN can be retrieved from a certificate using the following:
openssl x509 -in <certificate-file> -noout -subject -nameopt rfc2253 | awk -F 'subject=' '{print $2}'
The serial number of each certificate representing an SSO signing key should be displayed in decimal format. The serial number can be retrieved from a certificate using the following:
echo $((16#$(openssl x509 -in <certificate-file> -noout -serial | awk -F 'serial=' '{print $2}')))
The following is an example of the signcerts JSON object:
"signcerts": {
"rootca": {
"subjectdn": " CN=StrongKey FIDO Server RootCA,...",
"serialnumber": "1119189260",
"pemcert": ".",
"jwtcerts": {
"default": [{
"subjectdn": " CN=SKFS JWT Signer 1...",
"serialnumber": "763610591",
"pemcert": " ......"
},
{
"subjectdn": " CN=SKFS JWT Signer 2...",
"serialnumber": "2026985890",
"pemcert": "..."
},
{
"subjectdn": " CN=SKFS JWT Signer 3...",
"serialnumber": "1806749684",
"pemcert": "."
}
]
},
"samlcerts": {
"default": [{
"subjectdn": " CN=SKFS SAML Signer 1...",
"serialnumber": "1986984533",
"pemcert": "."
},
{
"subjectdn": " CN=SKFS SAML Signer 2...",
"serialnumber": "286523948",
"pemcert": "."
},
{
"subjectdn": " CN=SKFS SAML Signer 3...",
"serialnumber": "1137261348",
"pemcert": "."
}
],
"citrixidp": {
"subjectdn": " CN=SKFS SAML Signer 1...",
"serialnumber": "1986984533",
"pemcert": "."
}
}
}
}