Certificates

Last update: February 22 2024

Certificates

Two types of certificates are used when working with federations:

• credential provider certificate — A certificate that is issued on the credential provider side and added when configuring federation in the control panel. Without the certificate, the federation will not work;
• certificates-for-request-signing — optional certificate that is issued on the Selectel side if the federation has the Sign authentication requests checkbox checked.

Certificates of credential providers⁠

You issue a certificate from the credential provider and add it to the federation in Selectel. The certificate is used for data authentication when authenticating a user in the control panel.

You can create a federation without a certificate and add it later, but a federation without a certificate will not work. Up to 10 certificates can be added for one federation.

If a federation has multiple certificates, they will be applied sequentially: if a certificate has expired or is invalid, the next downloaded certificate will be applied.

Issue a certificate from a credential provider⁠

Keycloak

1. In the Keycloak control panel, go to Realm settings → Keys tab.
2. At the RS256 prompt, click Certificate.
3. Copy the certificate.

AD FS

1. On the AD FS server, open Server Manager.
2. From the Tools menu, select AD FS Management.
3. Open the Services → Certificates folder.
4. Right-click on the Token-signing block → View Certificate.
5. Open the Details tab.
6. Click Copy to file → Next.
7. Select the Base-64 encoded X.509 (.CER) format.
8. Press Next.
9. Enter a name for the certificate file and select the folder on your device where you want to save the file.
10. Check the settings.
11. Press Next.
12. Press Finish.
13. Open the file and copy the contents of the certificate.

Add a certificate⁠

1. From Control Panel, open the menu (account number) in the upper right corner and select Profile & Settings.
2. Go to the Federations section.
3. Open the federation page.
4. In the IdP Certificates block, click Add Certificate.
5. Enter the name of the certificate.
6. Insert certificate. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
7. Press Add.

Delete certificate⁠

1. From Control Panel, open the menu (account number) in the upper right corner and select Profile & Settings.
2. Go to the Federations section.
3. Open the federation page.
4. In the IdP Certificates block, in the certificate row, click .

Certificates for signing requests⁠

The certificate for signing requests is generated automatically on the Selectel side if the federation has the Sign authentication requests option enabled.

You can download certificate and upload it when configuring federation on your credential provider's side, see [Configure federation on Keycloak side](/control-panel-actions/users-and-roles/federations/configure-federation-keycloak. mdx) and Configure federation on Active Directory Federation Services side.mdx) and Configure federation on the Active Directory Federation Services side.

Download a certificate for signing requests⁠

1. From Control Panel, open the menu (account number) in the upper right corner and select Profile & Settings.
2. Go to Federations.
3. Open the federation page.
4. In the Sign authentication requests field, click Download certificate. The certificate file in .crt format will be downloaded to your device.