Skip to content

Using self signed certificates

Ruben Bermudez edited this page Sep 23, 2015 · 2 revisions

Upload your certificate using the certificate parameter in the setWebhook method. The certificate supplied should be PEM encoded (ASCII BASE64), the pem file should only contain the public key (including BEGIN and END portions). When converting from a bundle format, please split the file to only include the public key.

Generating a self-signed certificate pair (PEM):

Using openssl: (Windows binaries for Openssl are available online)

openssl req -newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key -x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"

the YOURPUBLIC.pem has to used as input for setting the self-signed webhook.

Inspect the generated certificate

openssl x509 -text -noout -in YOURPUBLIC.pem

Converting from a previously generated DER

openssl x509 -inform der -in YOURDER.der -out YOURPEM.pem

Converting from a previously generated PKCS12

openssl pkcs12 -in YOURPKCS.p12 -out YOURPEM.pem

More information

## Using Java keystore for your bot?:

Generate self-signed JKS

keytool -genkey -keyalg RSA -alias YOURDOMAIN.EXAMPLE -keystore YOURJKS.jks -storepass YOURPASSWORD -validity 360 -keysize 2048

Converting JKS to pkcs12 (intermediate step for conversion to PEM):

keytool -importkeystore -srckeystore YOURJKS.jks -destkeystore YOURPKCS.p12 -srcstoretype jks -deststoretype pkcs12

Convert PKCS12 to PEM (requires openssl):

openssl pkcs12 -in YOURPKCS.p12 -out YOURPEM.pem

More information

Using windows

Creating a self-signed certificate using Windows native utilities is also possible, although OpenSSL binaries for Windows are available online.

on the commandline:

certreq -new TEMPLATE.txt RequestFileOut

TEMPLATE.txt example file:

[NewRequest]

; At least one value must be set in this section
Subject = "CN=DOMAIN.EXAMPLE"
KeyLength = 2048
KeyAlgorithm = RSA
HashAlgorithm = sha256
;MachineKeySet = true
RequestType = Cert
UseExistingKeySet=false ;generates a new private key (for export)
Exportable = true ;makes the private key exportable with the PFX

A self-signed certificate will be generated and installed, to view the certificate:

certutil -store -user my

To export in DER format (intermediate step for conversion to PEM)

certutil -user -store -split my SERIALNUMBER YOURDER.crt

converting to PEM (used for setting the webhook)

certutil -encode YOURDER.crt YOURPEM.cer

To delete a certificate from your store:

certutil -delstore -user my SERIALNUMBER (from view)

To export in PFX(PKCS12) format

certutil -exportpfx -user YOURDOMAIN.EXAMPLE YOURPKCS.pfx NoChain

More information

converting YOURPKCS.pfx to PEM including the private key is best done with OpenSSL:

openssl pkcs12 -in YOURPKCS.pfx -out YOURPEM.cer

Remember that only the public key is needed as input for the self-signed webhook certificate parameter. certmgr.msc can also be used as a GUI to export the public part of self-signed certificates to PEM.