Nerd For Tech
Published in

Nerd For Tech

WSO2 Identity Server with CA-Signed Certificate to Connect with Office365

To connect to the office365 account using a local IAM provider such as WSO2 Identity Serer we need to have a CA-Signed Certificate. But before going through this article you need to have a domain for yourself and add that domain to Office365 domains. So to add your domain in Office365 follow this link first.

when you run the WSO2 identity server you will be provided with a URL ‘https://localhost:9443/carbon’ and when you try to access it with your browser you have to go through a page like below.

so what happening is actually when identity server is trying to access localhost via HTTPS browser need to verify that the identity server owns the localhost and the browser will request to give some prove from identity server, and then the identity server will provide the public certificate it has, but the problem is that public certificate is a self-signed certificate. So because it is a self-signed browser will warn the user that accessing the site is not secure if the user is trusting the identity server. so we can go to advanced in the browser and access the identity server admin login page.

but the problem is when we try to authenticate a Microsoft login from our localhost Microsoft can not see localhost as a trusted URL because it will only trust the certificate and not give a prompt for the user to trust the localhost. So the login will fail eventually. To avoid that we need a CA-Signed certificate.

Configuring CA-Signed Certificate in WSO2 Identity Server

Generate a New Keystore

So to create a new Keystore with a self-signed public certificate, let's create a folder and move on, the folder I use here will be called <CA_Keystore>

keytool -genkey -alias wso2carbon -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=<your_domain_name>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon

the above command will create a Keystore with the name newkeystore.jks. If the keytool command is not working in ubuntu you need to check that you set the $PATH and $JAVA_HOME environment variables correctly. if we sneak peek into the keytool command that we executed there are

  • CN - Common name: Common name is the server identity thus in a way this Keystore tells, “I represent this domain”. So this is the place you want to put your domain name.
  • storepass - Password of this Keystore.
  • keypasss - Password of the private key.
  • alias - Alias is what binds your private key to the public key
  • 2048- this means the private key length is 2048 characters

As you can see, I have used wso2carbon for the alias, keypass, and storepass. This is to update our WSO2 IS Keystore certificate with ease. If you want to use different passwords for keypass and storepass, please refer to this article.

Generate a Certificate Signing Request(CSR)

So now we have a Keystore with public and private key-value pair. for the domain name, I specified the CN=<your_domain_name> with my domain name which is you can see we add any name for our CN. I can even add ‘’ for my CN, but no one will trust us that we own the domain right? so the problem is how we will show that to everyone we are the one who actually owns this domain?

The answer is we need to get a public certificate out from the created Keystore. This will contain the cryptographic public key requires for secured communication, as well as the CN name. Then we prove that we own this CN to a reputed guy and get him signed on this certificate. In technical terms, this reputed guy is called a Certificate Authority (CA).

To sign the certificate first, we need to create a certificate signing request (CSR) for our Keystore. This will be presented to the CA to get a signed certificate. To do that run the below command in the terminal. it will request the Keystore password provide the password that you used when creating Keystore.

keytool -certreq -alias wso2carbon -file newcertreq.csr -keystore newkeystore.jks

Get the Signed Certificate from a Certificate Authority (CA)

Now we need to show that our CSR to a CA and get the CA-Signed Certificate. There are like many CAs that you need to pay money and get a CA-Signed certificate and there are some free ones too. I tried which will give a free CA-Signed certificate for 90 days.

so go here enter your domain and click create free SSL Certificate and then you need to create an account then they will prompt you to your dashboard where you can complete the certificate signing process. but before signing a domain name you actually need to have that domain for your self. there is a website called freenom where you can have a .tk domain for free. And you need to add that domain in Office365 domains because we are going to connect to Office365 using that domain. So for adding the domain to Office365 follow this link.

Ok in sslforfree you can continue the CA request by providing the domain name you have.

then they will show you the validity period of that certificate.

Then for the CSR and Contact, you need to select paste existing CSR option. and we need to enter our CSR in “pem” format to that textbox.

From here onward, I’m gonna switch to the Keytool GUI version. For the remaining tasks, it is an easier tool compared with the command-line key tool. Open the newcertreq.csr file you created above, using the Keytool GUI. Now click on the PEM button.

paste that value into textbox requesting CSR and click next. then they will ask your plan to select the free 90 days version one again and click finish.

Then they will ask you to verify your domain. Because they actually want to know that you really own this domain. So they will request you to verify your domain. the easiest way is to add a CNAME record to your DNS.

So we added this as a domain to our Office365 and changed our freenom name servers to Microsoft name servers. So to add a record you need to login into the Office365 admin panel and go to the domains section there and select the domain and click add a record and then add the CNAME record.

If everything goes well, and you waited enough time for our added DNS property to available, the server will realize that the domain actually owns by you and give you the CA-Signed certificate.

the certificate has been issued and it is ready for installation. So now you can download your CA-Signed certificate and we unzip the zip file and look at the files in there there will be two files.

  • ca_bundle.crt - CA-Signed certificate
  • certificate.crt - A set of intermediate certificates

Now go back to the <CA_Keystore> folder with these files in hand. Open the newkeystore.jks file using the Keytool GUI and import the ca_bundle.crt file received above, using tools -> import trusted certificate. Use an alias other than wso2carbon.

Now you can see a key pair called wso2carbon in the Keystore. Alongside the newly added certificate. This is the private key+self signed public key pair.

now we need to add our CA-signed certificate now. That will replace the existing public key in this key pair. To do that, right-click on the wso2carbon and click Import CA reply. Select the CA-Signed certificate, certificate.crt received from FreeSSL.

Now we have successfully added a CA-Signed certificate to the newuserstore.jks Keystore. Double click on the wso2carbon key pair. It will show the public certificate details. Which says this has been signed by the USERTrust RSA Certification Authority.

Now let’s add this public certificate to the trust store of the WSO2 Identity Server. First, export the public certificate. Right-click in the wso2carbon key pair again. Select Export -> Export Certificate Chain. Get the exported x.509.cer file.

Replacing WSO2 Identity Server Keystore

Now go to the <IS_HOME>/repository/resources/security/ where you will see the following files.

Remove <IS_HOME>/repository/resources/security/wso2carbon.jks file and copy <CA_KEYSTORE>/newkeystore.jks file there. Rename newkeystore.jks as wso2carbon.jks.

Open <IS_HOME>/repository/resources/security/client-truststore.jks using keytool GUI and import the x.509 public certificate that we exported from the newkeystore.jks earlier via tools->import the trusted certificate.

And also open <IS_HOME>/repository/conf/deployment.toml file and change <HostName> values to the because this will be the hostname of the WSO2 Identity Server.

It’s all done now, Start your WSO2 IS instance (if this is running already you need to restart it)

Now if we look at the certificate via browser it shows that now we have a trusted certificate.

Find out more about the WSO2 Identity Server from



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maneesha Indrachapa

Maneesha Indrachapa

Software Engineer | Computer Science and Engineering Graduate @ University of Moratuwa | Richmondite