Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Create a service provider keystore for SAML

Create a service provider keystore for SAML

In order for your instance to sign logout requests, you must create a Java Key store containing the following items.

About this task

  • Signed server certificate for the instance
  • Signed CA certificate
  • Public and private key pair

You may create your own signed certificate with a private certificate authority or purchase one from a public certificate authority.

The following steps illustrate how to generate a new Java Keytool keystore file, create a certificate signing request (CSR), and import certificates. Any root or intermediate certificates need to be imported before importing the primary certificate for your domain. Type these commands in a command line interface.
Note: These instructions are not specific to the platform and require technical knowledge of security certificates to complete. Technical Support cannot assist in creating the certificates.


  1. Generate a Java keystore and key pair.
    keytool -genkey -alias mydomain -keyalg RSA -keystore my.keystore
  2. Generate a CSR for an existing Java keystore.
    keytool -certreq -alias mydomain -keystore my.keystore -file mydomain.csr
  3. Import a root or intermediate certificate authority CA certificate to an existing Java keystore.
    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore my.keystore
  4. Import a signed primary certificate to an existing Java keystore.
    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore my.keystore

This site is scheduled for a small content update on Tuesday, December 18th, between the hours of 4:00pm and 8:00pm Pacific Time (Dec 19 00:00 – Dec 19 4:00 UTC). Access to this site may be slightly delayed during that time.