Generate Keys and Certificates for SSO

G Suite offers the Single Sign-On (SSO) service to customers with G Suite or G Suite for Education. The G Suite Single Sign-On service accepts public keys and certificates generated with either the RSA or DSA algorithm. To use the service, you need to generate the set of public and private keys and an X.509 certificate that contains the public key. Once you have a public key or certificate, you would then need to register it with Google. You can do this by simply uploading the key or certificate via your G Suite Admin console.

The way you generate keys and certificates often depends on your development platform and programming language preference. Here are several different ways to generate the keys and certificate needed by the G Suite SSO service.

Using OpenSSL

Although there are many methods for creating public and private key pairs, the open-source OpenSSL tool is one of the most popular. It has been ported to all major platforms and provides a simple command-line interface for key generation.

Create the RSA Private Key

RSA private key generation with OpenSSL involves just one step:

openssl genrsa -out rsaprivkey.pem 2048

This command generates a PEM-encoded private key and stores it in the file rsaprivkey.pem. This example creates a 2048-bit key, which should work for nearly any purpose. The resulting private key should be kept secret and is used to sign and decrypt data.

Some implementations, in particular Java-based, might require DER or PKCS8 which can for example be generated using the following additional steps:

1. openssl rsa -in rsaprivkey.pem -pubout -outform DER -out rsapubkey.der
2. openssl pkcs8 -topk8 -inform PEM -outform DER -in rsaprivkey.pem -out rsaprivkey.der -nocrypt

Step 1 generates the public key in DER format.

Step 2 generates the private key in pkcs8 and DER format. Once generated, you can use these keys (rsapubkey.der and rsaprivkey.der).

Create a DSA Private Key

DSA key generation involves two steps:

1. openssl dsaparam -out dsaparam.pem 2048
2. openssl gendsa -out dsaprivkey.pem dsaparam.pem

The first step creates a DSA parameter file, dsaparam.pem, which in this case instructs OpenSSL to create a 2048-bit key in Step 2. The dsaparam.pem file is not itself a key, and can be discarded after the public and private keys are created. The second step actually creates the private key in the file dsaprivkey.pem which should be kept secret.

To export the key into a DER (binary) format you can use the following steps:

1. openssl dsa -in dsaprivkey.pem -outform DER -pubout -out dsapubkey.der
2. openssl pkcs8 -topk8 -inform PEM -outform DER -in dsaprivkey.pem -out dsaprivkey.der -nocrypt

Step 1 extracts the public key into a DER format.

Step 2 converts the private key into the pkcs8 and DER format. Once you've done this, you can use this public (dsapubkey.der) and private (dsaprivkey.der) key pair

Create a certificate

Once you have your key pair, it's easy to create an X.509 certificate. The certificate holds the corresponding public key, along with some metadata relating to the organization that created the certificate. Follow this step to create a self-signed certificate from either an RSA or DSA private key:

openssl req -new -x509 -key dsaprivkey.pem -out dsacert.pem

After you answer a number of questions, the certificate will be created and saved as dsacert.pem. This is the file you upload to G Suite via the Control Panel when configuring SSO.

Create a certificate fingerprint

Some applications require an X.509 certificate fingerprint, rather than the X.509 certificate itself. A fingerprint is a digest of the certificate in x509 binary format. The fingerprint type depends on the algorithm used to generate the fingerprint, such as SHA-1 or SHA-256. 

To create an SHA-256 fingerprint from an X.509 certificate, use the following command (substituting your actual certificate .pem file name):

openssl x509 -noout -fingerprint -sha256 -inform pem -in "GoogleIDPCertificate-domain.com.pem"

Using Microsoft Visual Studio for .NET

Microsoft Visual Studio 2005 provides utilities (in the Common7\Tools\Bin directory) which can be used to generate a certificate for use with G Suite. Follow the steps below to create the public and private key pair and certificate in .NET:

1. makecert -r -pe -n "CN=Test Certificate" -sky exchange -sv testcert.pvk testcert.cer
2. pvk2pfx -pvk testcert.pvk -spc testcert.cer -pfx testcert.pfx

By default the RSA algorithm is used in the commands above. Step 1 uses the Certificate Creation Tool (makecert.exe) to create a self signed X.509 certificate called testcert.cer and the corresponding private key.

Step 2 uses the pvk2pfxTool (pvk2pfx.exe) to create a Personal Information Exchange (PFX) file from a CER and PVK file. The PFX contains both your public and private key.

The testcert.cer file created in Step 1 can be uploaded to G Suite using the Control Panel; and, testcert.pfx from Step 2 can be used to create an X509Certificate2 (.NET 2.0+) instance for signing the SAML response.

Using Keytool in Java

Java developers can use the keytool utility found in the standard JDK to create the public/private key pair and X.509 certificate. keytool is a key and certificate management utility that allows users to administer their own public/private key pairs and associated certificates for use in authentication schemes requiring digital signatures. keytool stores keys and certificates in a "keystore" which for the default implementation is simply a file (".keystore") in the user's home directory. Private keys are guarded with passwords.

Create DSA key pairs

1. keytool -genkey -alias dsassokey -keyalg "DSA" -keysize 2048 -validity 180 -sigalg "SHA256withDSA"
2. keytool -export -alias dsassokey -file dsasso.cer

Step 1 generates a public/private key pair with size 2048 and validity of 180 days using the DSA algorithm.

Step 2 generates an X.509 certificate ("dsasso.cer") from the public key. You then upload dsasso.cer to G Suite using the Control Panel.

Create RSA key pairs

1. keytool -genkey -alias rsassokey -keyalg "RSA" -keysize 2048 -validity 180
2. keytool -export -alias rsassokey -file rsasso.cer

Step 1 generates a public/private key pair with size 2048 and validity of 180 days using the RSA algorithm.

Step 2 generates an X.509 certificate ("rsasso.cer") from the public key. You then upload rsasso.cer to G Suite using the Control Panel.

Using Java Cryptography Architecture

Java Cryptography Architecture (JCA) provides core classes and interfaces to generate and manipulate security properties. The JCA encompasses the parts of the Java 2 SDK Security API related to cryptography. Using this API, you can easily generate public and private key pairs in the desired algorithm. Below is a sample code that creates DSA or RSA keys to be used with the G Suite SSO service.

Create a public and private key pair

import java.io.*;
import java.security.*;

public class KeyGenDSA {

  public static void main(String[] args) {
        try {
          KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
          SecureRandom random = SecureRandom.getInstanceStrong();
          keyGen.initialize(2048, random);

          KeyPair pair = keyGen.generateKeyPair();
          PrivateKey priv = pair.getPrivate();
          PublicKey pub = pair.getPublic();

          byte[] encPriv = priv.getEncoded();
          FileOutputStream privfos = new FileOutputStream("DSAPrivateKey.key");
          privfos.write(encPriv);
          privfos.close();

          byte[] encPub = pub.getEncoded();
          FileOutputStream pubfos = new FileOutputStream("DSAPublicKey.key");
          pubfos.write(encPub);
          pubfos.close();

   } catch (Exception e) {
         e.printStackTrace();
   }
  }
}

The code above uses the KeyPairGenerator to create a pair of DSA keys. The generated keys will be in binary format and are output into individual files. Once you have the keys, you can register the public key with G Suite and use the private key to sign your SAMLResponse. To generate a pair of RSA keys instead of DSA, all you need to do is to replace "DSA" in the code with "RSA."

Register your certificate or public key with G Suite

Once you have done the tricky part of generating keys and certificates, the next part is really simple. To register your certificate or public key with G Suite, you need to go to your G Suite Admin console and log in as an administrator. Select Security, then Set up single sign-on (SSO), and fill in all the fields on the page under Setup SSO with third party identity provider.

Was this helpful?
How can we improve it?