Browser-facing certificate

You will need to acquire an SSL certificate from a certification authority to secure the IdP.

Important: the CN (Common Name) you specify when requesting the certificate must match the DNS hostname aka FQDN of the IdP deployment discussed in the Preparation section.

Please see our guides at these links:

• Browser facing certificate using the Certificate snap-in in Windows - Recommended for Windows deployers
• Browser facing certificate using Java keytool - suitable for the IdP on all platforms (Windows and Linux)
• Getting the Browser-Facing Certificate - suitable for IdP on Linux, but also worth reviewing if you would like some more detail on the process. Can also be used on Windows if you install a Windows version of OpenSSL (or use OpenSSL on another platform and transfer the keystore file)

If you plan to proxy the IdP through Apache httpd then you should not need to build a keystore file; the browser-facing certificate is configured in Apache using PEM format certificate files.