This guide will show you how to create a SAML certificate that can be used with the SAML Library.

For more information, refer to The SAML Library and How to send a SAML to Signicat using the SAML Library


The SAML certificate is a standard x509 certificate in a Java keystore. It can be created using many different tools. A third party CA can also issue the certificate.

This guideline shows how you can create the certificate using the standard keytool software that is distributed with Java.


Find a location on the machine where the certificate should be used

We suggest that the certificate is created in the environment where it is going to be used to avoid any external copies.

Run the command below to create the certificate


keytool -genkey -alias saml -dname ", C=NO" -keystore saml-keystore -keyalg RSA -validity 730 -keysize 1024


You may want to consult the keytool documentation for a detailed explanation of the keytool syntax.

Keytool will ask for a password twice. The first password protects the keystore. The second password protects the private key inside the keystore. You may use the same password for both. The passwords must match the configuration parameters in SamlProducerConfiguration.


Store the keystore on a location where your application can find it

The keystore must be available in a location where the SAML Library can read it. Also note that in the unlikely event that the certificate should be compromised, you may want to be able to replace it very fast.

Update the configuration parameters in SamlProducerConfiguration with the location and passwords.

Send the public certificate to the SAML Consumer party

The SAML Consumer needs to know the public part of your certificate. You may export the public part of the certificate and send this.

keytool -export -rfc -keystore saml-keystore -alias saml -file saml-cert.public	

The public part is not a secret (it will be embedded in clear text in every SAML Response as well). However, it is of course important that the SAML Consumer is using the correct certificate.

Keytool parameters




The alias parameter must match the alias configuration parameter in SamlProducerConfiguration.


", C=NO"

A X509 distinguished name that uniquely identifies your organisation.



The name of the keystore file that will be created



The key algorithm



The key size.



How long the certificate should be valid.

More info