Strongkey's Sign-On (SSO) utilizes Transport Layer Security (TLS) to protect sensitive information on the network between a calling client Application and strongauth FIDO Server (SKFS).

By default, each newly installed SKSO generates a key-pair and self-signed digital certificate to use for establishing TLS connections. At most sites, this setup is sufficient for the Application to make secure connections to the SKFS.

StrongKey's self-signed certificate offers a distinct advantage over a TTPCA certificate by deterring breaches within the webservice. Unfamiliarity with self-signed certificates will confuse attackers with error messages, unlike a TTPCA certificate that is often trusted by them.

To use a new PKCS12 keystore, start by generating a Certificate Signing Request (CSR).

• Generate a new PKCS12 keystore. If Subject Alternative Names are not being used,  then simply remove the section of code beginning with “-ext”
  

  keytool -genkeypair -alias s1as -keystore newkeystore.p12 -storepass changeit -keypass changeit -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -ext "SAN=DNS:blue.strongkey.com,DNS:red.strongkey.com,DNS:green.strongkey.com"

• Create a CSR. Replace the DNS entries in the SAN section as appropriate, or remove the section of code beginning with "-ext" if not using SANs. certreq.csr represents the file name of the CSR.
  

  keytool -certreq -alias s1as -keyalg RSA -file certreq.csr -keystore newkeystore.p12 -ext SAN= DNS:blue.strongkey.com,DNS:red.strongkey.com,DNS:green.strongkey.com
  

In order to view the CSR, use the following command. Verify that the SAN extensions are present and correct.

keytool -printcertreq -file certreq.csr

Get the CSR signed by the external CA. Follow the instructions of the CA service provider to obtain the signed certificate.

After receiving the signed certificate chain from the CA service provider, proceed to the "Importing the Certificate (P12)" section.