Picking up and installing your client certificate for two factor authentication

Before you pick up your client certificate, you must:

  • Create a private key pair.
  • Generate a CSR.

Are you using Java? Then use the Java Keytool to create your key pair and generate your CSR. For other development environments, use either OpenSSL or Java Keytool.

By default, the Java keytool is in your JDK install directory (e.g., in Windows, it's C:\\Program Files\\Java\\jdk version\\bin). Download OpenSSL from https://www.openssl.org/.

Creating a private key pair

On the machine that you will use to access the SAS API, generate your key pair with Java Keytool or OpenSSL.

Java Keytool
keytool -genkeypair -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore sas_keystore.p12 -storetype PKCS12 -storepass yourPasswordHere -alias sas
OpenSSL
openssl genrsa -out sas_key.key 2048

Generating a CSR

During CSR generation, enter the following information: your name, organization name, organizational unit, city, state, country.

Java Keytool
keytool -certreq -alias sas -keyalg RSA -sigalg SHA256withRSA -file sas_csr.csr -keystore sas_keystore.p12 -storetype PKCS12 -storepass yourPasswordHere
OpenSSL
openssl req -new -key sas_key.key -out sas_csr.csr

Getting your client certificate

Once you have your CSR, you are ready to get your client certificate.

To get your client certificate

  1. Use Firefox or Internet Explorer 10 or 11 to open the enrollment URL in your invitation.
  2. Follow the on-screen instructions to submit your CSR and download your certificate.

Importing your client certificate

When you download your client certificate, it is in the .p7b format. You need to change certificate format. Use Java Keytool or OpenSSL to create a pkcs12 keystore.

Java Keytool
keytool -importcert -alias sas -trustcacerts -file sas_p7b.p7b -keystore sas_keystore.p12 -storetype PKCS12 -storepass yourPasswordHere
OpenSSL
pkcs7 -print_certs -inform der -in sas_p7b.p7b -out sas_cert.cer
pkcs12 -export -in sas_cert.cer -inkey sas_key.key -out sas_pkcs12.pfx

Windows environment considerations

Once you have your .p12 or .pfx formatted client certificate, add it to your personal certificate store.

Import the .p12 or .pfx certificate to your personal certificates

  1. Open an MMC console and add a Certificates snap-in for your user account.
  2. Expand Certificates - Current User, Personal, Certificates.
  3. In the Action menu, select All Tasks and click Import.
  4. Follow the on-screen prompts to import your certificate.
    On the Password step, select Mark this key as exportable.
  5. After the certificate is imported, check to ensure that the root and intermediate CA certificates are in your personal certificates.
    If the root and intermediate CA certificates are not present, add them.
  6. Open to the WSDL endpoint in IE or Chrome to verify that the certificate is installed correctly. The browser should prompt you for your client certificate and display the WSDL.

After you import your client certificate, set up your development environment for making API calls with two factor authentication. See Generating Java or C# classes from the WSDL document.

We use cookies to ensure that we give you the best experience on our website. By using this site, you agree to the Terms of Service.