Create a service provider keystore for SAML

In order for your instance to sign logout requests, you must create a Java Key store containing the following items.

About this task

  • Signed server certificate for the instance
  • Signed CA certificate
  • Public and private key pair

You may create your own signed certificate with a private certificate authority or purchase one from a public certificate authority.

The following steps illustrate how to generate a new Java Keytool keystore file, create a certificate signing request (CSR), and import certificates. Any root or intermediate certificates need to be imported before importing the primary certificate for your domain. Type these commands in a command line interface.
Note: These instructions are not specific to the platform and require technical knowledge of security certificates to complete. Technical Support cannot assist in creating the certificates.


  1. Generate a Java keystore and key pair.
    keytool -genkey -alias mydomain -keyalg RSA -keystore my.keystore
  2. Generate a CSR for an existing Java keystore.
    keytool -certreq -alias mydomain -keystore my.keystore -file mydomain.csr
  3. Import a root or intermediate certificate authority CA certificate to an existing Java keystore.
    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore my.keystore
  4. Import a signed primary certificate to an existing Java keystore.
    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore my.keystore