Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage applications >
  3. Integrate OIDC and OAuth Cloud applications >
  4. Create and manage OIDC signing certificates

 

Create and manage OIDC signing certificates

OIDC  signing certificates contain a key pair that you associate with an OIDC application. The private key signs the OIDC tokens that Identity as a Service returns to an OIDC service provider for OIDC authentication. The signing certificate and associated public key are available through the OIDC JWKS endpoint. This endpoint is used by The OIDC service provider uses the endpoint to validate the signature of the OIDC token.

Identity as a Service provides a default self-signed certificate. You can use this certificate or create your own. You can also replace a self-signed certificate with a certificate signed by a CA either by importing a signing key or with a certificate signing request (CSR).

You can export the signing certificate is required.

Note: If you enable notifications (see Manage entitlement usage notifications), users receive an email when their certificates are soon to expire or are no longer valid.

Export a signing certificateExport a signing certificate

Export an OIDC signing certificate

Log in to your Identity as a Service administrator account.

Click > Security > Applications. The Applications List page appears.

Under OpenID Connect and OAuth Cloud Integrations, click OIDC Signing Certificates. The OIDC Signing Certificates page appears.

Click  next to the certificate to export the certificate you want to import into your OIDC service provider application. The Export Certificate dialog box appears.

 If the certificate has been issued by a CA, do one of the following:

Click Certificate to export the self-signed certificate.

Click Root CA Certificate to export a certificate issued from a CA.

Click Certificate Chain to export the OIDC signing certificate and its CA certificates.

Click Export.

Copy an OIDC signing certificateCopy an OIDC signing certificate

Copy the OIDC Signing Certificate from Identity as a Service

Log in to your Identity as a Service administrator account.

Click > Security > Applications. The Applications List page appears.

Under Open ID Connect and OAuth Cloud Integrations, click OIDC Signing Certificates. The OIDC Signing Certificates page appears.

Click  next to the certificate to copy it to the clipboard.

Open a text editor, such as Notepad, and paste the contents of the certificate into the text file.

Save the file.

Create or import an OIDC signing certificateCreate or import an OIDC signing certificate

Create or import an OIDC signing certificate

Identity as a Service provides a default self-signed certificate. You can also create your own certificate. This might be necessary if your certificate is about to expire or you want to create a certificate and replace the self-signed certificate with a certificate signed by a Certificate Authority (CA).

Log in to your Identity as a Service administrator account.

Click > Security > Applications. The Applications List page appears.

Under Open ID Connect and OAuth Cloud Integrations, click OIDC Signing Certificates. The OIDC Signing Certificates page appears.

Click .

 Do one of the following:

Create an OIDC signing certificate

Select Create to create a new signing certificate. The Create Signing Certificate dialog box appears.

Enter a Name for the certificate.

Select the expiry date from the pop-up calendar and click OK.

Click Add. The certificate appears on the Signing Certificates page.

Import an OIDC signing certificate

Select Import to create a new signing certificate. The Create Signing Certificate dialog box appears.

Enter a Name for the certificate.

Clickand browse to select your signing certificate file.

Click Import.

Replace a self-signed certificate with a CA signed certificate using a Certificate Signing Request (CSR)Replace a self-signed certificate with a CA signed certificate using a Certificate Signing Request (CSR)

You can create a PKCS#10 request, which is a standard file that a CA uses to issue certificates. It contains a public key that has been signed by the corresponding private key. To do this, you must generate a CSR and then process the CSR response.

Generate a CSR

Log in to your Identity as a Service administrator account.

Click > Security > Applications. The Applications List page appears.

Under SAML Cloud Integrations, click OIDC Signing Certificates. The OIDC Signing Certificates page appears.

On the Signing Certificates pages, click next to the certificate.

Select Generate CSR. The Generate CSR dialog box appears.

Enter the values for any of the following attributes for the Distinguished Name (DN). The required values depend on the CA you are going to use to issue your CA-signed certificate:

Note: Do not enter values with o=.

Common Name (CN)—Enter a name that identifies your certificate. This field is mandatory.

Optionally, enter the following:

Organization Unit (OU)—Enter the name of the organization unit handling the certificate.

Organization (O)—Enter the legal name of your organization.

Locality (L)—Enter the city location of your organization.

State/Province (ST)—Enter of the full state, province, or territory name of your organization (do not use abbreviations).

Country (C)—Enter the two-letter ISO code for the country location of your organization.

Click Next. You are prompted to add Subject Alt Names.

Optional. If your certificate requires Subject Alt Names, do the following to include additional sites protected by the certificate:

Click Add.

Move the toggle switch to DNS Name or IP Address.

Enter the DNS Name or IP Address.

Repeat these steps to add more Subject Alt Names.

Click Next. The Key Type and Signing Algorithm page appears.

Select the Key Type from the drop-down list.

Select the Signing Algorithm from the drop-down list.

Optional. Enter the Challenge Password.

Click Next.

Review the Summary and then click Generate CSR to generate the CSR to export the CSR.  

Process the CSR Response

Once, the CA processes the CSR, you need process the CSR response in Identity as a Service.

Log in to your Identity as a Service administrator account.

Click > Security > Applications. The Applications List page appears.

Under Open ID Connect and OAuth Cloud Integrations, click Signing Certificate. The Signing Certificates page appears.

On the Signing Certificates pages, click  next to the certificate.

Select Process CSR Response from the drop-down list. The Process CSR Response dialog box appears.

Click  and browse to upload the CSR Response file.

Note: Click  and browse to upload more CSR Response files.

Click  and browse to upload Additional Certificates.

Click Submit.