Product Documentation

    NOTE: The keygen-sso.sh script is meant to be used in standalone SKFS deployments. It is kept bundled within SAKA distributions, but the responsibility of SSO key generation has been passed onto the Domain Setup wizards and the Escrow Keystore Tool.

    The keygen-sso.sh script is the primary way to generate SSO keys and certificates in standalone SKFS deployments. As in the name, this script generates the keys that are used by the SKFS to generate JWTs and SAML assertions.

    Below is the usage information on the keygen-sso.sh script:

    # SKFS> ./keygen-sso.sh --help

SYNOPSIS
  keygen-sso.sh -did <Domain ID> [-jwt] [-saml] [-h | --help] [-dn <DN>] [-cs <Cluster Size>] [-v <Certificate Validity>] [-p <Keystore Password>] [-o <Output Path>] [options]

DESCRIPTION
  This script creates a Root Certificate Authority for the specified domain as well as a set of jwt, saml, or both leaf certificates signed by the Root CA.

OPTIONS
  -h, --help
    Displays this help message.

  -dn, --distinguished-name
    Defaut: ""
    Determines the JWT or SAML leaf certificates' DN on creation: "CN=[ JWT | SAML ] Signing Certificate $DID-$COUNT, $DN"

  -did, --domainid
    Determines the domain ID that the JWT/SAML keys and certificates will be created for.

  -v, --validity
    Default: 365
    Determines the number of days the JWT/SAML leaf keys and certificates will be valid for.

  -jwt
    If specified, creates JWT signing keys and certificates and stores them in the sso keystore/truststore

  -jwtcns, --jwt-common-names
    Default: CN=JWT Signing Certificate $DID-1,CN=JWT Signing Certificate $DID-2,CN=JWT Signing Certificate $DID-3
    Determines the JWT certificate common names and number of certificates created for this domain.

  -jwtalg, --jwt-algorithm
    Default: EC
    Determines the key algorithm for the JWT keys.

  -jwtks, --jwt-key-size
    Default: 512
    Determines the key size for the JWT keys.

  -saml
    If specified, creates SAML signing keys and certificates and stores them in the sso keystore/truststore

  -samlcns, --saml-common-names
    Default: CN=SAML Signing Certificate $DID-1,CN=SAML Signing Certificate $DID-2,CN=SAML Signing Certificate $DID-3
    Determines the SAML certificate common names and number of certificates created for this domain.

  -samlalg, --saml-algorithm
    Default: RSA
    Determines the key algorithm for the SAML keys.

  -samlks, --saml-key-size
    Default: 2048
    Determines the key size for the SAML keys.

  -p, --keystore-password
    Default: Abcd1234!
    Determines the password for all created keystores (CA key pair, JWT key pair, SAML key pair, ssosigningkeystore)

  -o, --output-path
    Default: /usr/local/strongkey/skfs/keystores
    Determines the path on the file system where the ssosigningkeystore.bcfks and ssosigningtruststore.bcfks will be created. Relative path may be used.

  -nf, --no-fips
    Default: 
    Profile options: 
    Profile used to build the SAKA distribution.