> For the complete documentation index, see [llms.txt](https://ploegert.gitbook.io/til/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ploegert.gitbook.io/til/os/unix/crypto/generate-a-saml-key-and-certificate-pair.md).

# Generate A SAML Key And Certificate Pair

The `openssl` utility can be used to generate a SAML (Security Assertion Markup Language) key pair which consists of a public certificate and a private key.

```bash
openssl req -new -x509 -days 365 -nodes -sha256 \
  -out saml.crt \
  -keyout saml.key
```

> The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self-signed certificates, for use as root CAs, for example.

The flags to `req` are as follows:

* `-new` for a new certificate (cert) request
* `-x509` to output a self-signed cert instead of a cert request
* `-days 365` for a year-long cert
* `-nodes` to not encrypt the private key
* `-sha256` is the digest algorithm for signing the cert
* `-out saml.crt` specifies the certificate output file
* `-keyout saml.key` specifies the private key output file

See `man openssl` and search for `openssl req` for more details.

[source](https://www.lightsaml.com/LightSAML-Core/Cookbook/How-to-generate-key-pair/)
