Create FIPS certificate for SAML

Rversion finale: Australia

Mis à jour 12 mars 2026

2 minutes de lecture

Generate FIPS 140-2 compliant self-signed certificates and keystores for SAML authentication, specifically for signing SAML assertions and encrypting SAML messages.

Avant de commencer

Role required: sso_config_admin, business_rule_admin, script_include_admin

Do the following:

Install Java on your machine and the key tool command-line tool accessible in your terminal (or "command prompt" if you are running it on a windows machine).
Perform the following steps to create a key store using FIPS-approved cryptographic algorithms (such as RSA 2048+ or ECDSA with SHA-256/SHA-384) that meets federal security requirements for identity federation and single sign-on implementations.

Procédure

Download the FIPS Provider Library.

Remarque :

Use the latest version is bc-fips-2.1.0.jar. Make sure you use the most recent version.

Generate the FIPS-Compliant key store and certificate.

Run the following key tool command to generate a self-signed certificate and key store.

Running on Linux/macOS Running on Windows:

Tableau 1. Key tool command
Running on Linux/macOS	Running on Windows:
`keytool -genkeypair \ -providername BCFIPS \ -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -providerpath <path_to_bc-fips-<version>>.jar \ -alias <key_alias> \ -keyalg RSA \ -keysize <key_size> \ -keystore <keystore_name>.bcfks \ -validity <validity> \ -storetype BCFKS \ -storepass <keystore_password>`	`keytool -genkeypair ^ -providername BCFIPS ^ -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider ^ -providerpath <path_to_bc-fips-<version>>.jar ^ -alias <key_alias> ^ -keyalg RSA ^ -keysize <key_size> ^ -keystore <keystore_name>.bcfks ^ -validity <validity> ^ -storetype BCFKS ^ -storepass <keystore_password>`

keytool -genkeypair \
  -providername BCFIPS \
  -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
  -providerpath <path_to_bc-fips-<version>>.jar \
  -alias <key_alias> \
  -keyalg RSA \
  -keysize <key_size> \
  -keystore <keystore_name>.bcfks \
  -validity <validity> \
  -storetype BCFKS \
  -storepass <keystore_password>

keytool -genkeypair ^
-providername BCFIPS ^
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider ^
-providerpath <path_to_bc-fips-<version>>.jar ^
-alias <key_alias> ^
-keyalg RSA ^
-keysize <key_size> ^
-keystore <keystore_name>.bcfks ^
-validity <validity> ^
-storetype BCFKS ^
-storepass <keystore_password>

Replace placeholders (<...>) with appropriate values:
- <path_to_bc-fips-<version>>.jar: Path to bc-fips-<version>.jar
- <key_alias>: Alias for the key pair
- <key_size>: 2048 or 4096
- <keystore_name>.bcfks: Desired file name for the key store
- <validity>: Expiry in days
- <keystore_password>: Password for the key store
Follow the prompts to enter additional DN (Distinguished Name) details for the certificate.

Remarque :
When you are prompted for a password for the key (alias), press the Enter or Return key to use the same password you used for the key store. Do not give a different password.
Securely store the key alias and key store password.
Provide these credentials while:
- Creating the sys_certificate record for this key store.
- Configuring the SAML Identity Provider to provide the signing key or encryption key alias and password.
Remarque :
The key password is same as the key store password specified during creation. Use the same password when configuring signing or encryption for the SAML Identity Provider.

Extract the Certificate Chain.

Running on Linux/macOS Running on Windows:

Tableau 2. Key tool command
Running on Linux/macOS	Running on Windows:
`keytool -exportcert \ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -providerpath <path_to_bc-fips-<version>>.jar \ -storetype BCFKS \ -keystore <keystore_name>.bcfks \ -storepass <keystore_password> \ -alias <key_alias> \ -rfc \ -file <file_name>.cer`	`keytool -exportcert ^ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider ^ -providerpath <path_to_bc-fips-<version>>.jar ^ -storetype BCFKS ^ -keystore <keystore_name>.bcfks ^ -storepass <keystore_password> ^ -alias <key_alias> ^ -rfc ^ -file <file_name>.cer`

keytool -exportcert \
  -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
  -providerpath <path_to_bc-fips-<version>>.jar \
  -storetype BCFKS \
  -keystore <keystore_name>.bcfks \
  -storepass <keystore_password> \
  -alias <key_alias> \
  -rfc \
  -file <file_name>.cer

keytool -exportcert ^
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider ^
-providerpath <path_to_bc-fips-<version>>.jar ^
-storetype BCFKS ^
-keystore <keystore_name>.bcfks ^
-storepass <keystore_password> ^
-alias <key_alias> ^
-rfc ^
-file <file_name>.cer

Replace placeholders (<...>) with appropriate values:

<path_to_bc-fips-<version>>.jar: Path to bc-fips-<version>.jar
<keystore_name>.bcfks: Key store file name as given in previous step
<keystore_password>: Key store password as given in previous step
<key_alias>: Key alias as given in previous step
<file_name>.cer: Desired file name for the extracted certificate in PEM format

Create a record on sys_certificate table.
1. Log in to ServiceNow AI Platform.
2. Navigate to All > Multi-Provider SSO > Administration > x509 Certificate.
3. Click New to create a record.
4. Select BCFKS key store as Type.
5. Attach the generated BCFKS key store file (<keystore_name>.bcfks).
6. Fill in other required fields, including the key store password provided during key store creation.
7. Click Validate Stores or Certificates related link to ensure the key store is valid.
8. Copy the sys_id of this record.