Certificate creation

Certificate creation

You must purchase or create a digital signing certificate for your organization before you can get credentials. A certificate contains a public key that is generated from a private key. In order to make calls to the APIs, you package your account credentials in a JSON Web Token (JWT), and sign it with the private key. Adobe uses the public key to authenticate the request.       

You must upload the public-key portion of the certificate to Adobe and use the private key to sign the JWT that you create.  You must retain your private key and keep it secure. It cannot be recovered or replaced.

Adobe does not check for revocation or trust chains of the certificate. If you want to revoke a certificate that you have associated with a technical account, you must do so explicitly using the Developer Portal. When you have done so, you can no longer use any JWT signed with that certificate to gain access.

The files that contains the public and private keys, but especially the private key, contain sensitive information. You must protect them at least as well as you would protect an account name and password. The best practice is to store the key file in a credential management system or use a file system protection
so that it can only be accessed by authorized users.

Creating a self-signed certificate

You can create certificates in Windows with Cygwin, which includes openssl. In Mac OS, you can use the built-in command-line tool openssl. To create a certificate with the command-line tool, open a terminal window in Mac OS, or a Cygwin shell window in Windows, and run the platform-specific tool. In either case, the tool
creates a public key in a certificate (CRT) file, and a private key.

The openssl req command creates a private-key file and a certificate (CRT) file containing the public key. During the key-generation process, you are prompted to enter additional information to create a DN (Distinguished Name) for the public key. You can accept default values in some cases. To leave a field blank, enter "." (a dot character).

For example:

When the private key generation is complete, you see some instructions, and are prompted to enter DN information.

For example:

The certificate generated by this command expires in 1 year (365 days), at which point you can create a new one. You can make the period longer, but rotating
credentials periodically is a good security practice.

In this example, the new private key file is named "private.key". You use the private key to sign your JSON Web Token (JWT). The contents of the private-key file look something like this:  

The command also creates a new certificate file named "certificate_pub.crt" that contains the public key. You must upload the certificate to Adobe when you create your API key. The contents of the certificate file look something like this:  

You can learn more about Open SSL and other command parameters here: https://www.openssl.org/docs/man1.0.2/apps/req.html.

Any questions?

Have a question about this or any other AEM topic? Ask our Community.
Learn more about AEM topics on our help hub.
Was this helpful?

By submitting your feedback, you accept the Adobe Terms of Use.

Thank you for submitting your feedback.