# Certificates with OpenSSL ### Generating Key Pairs for Workday Integration To ensure secure communication between Veza and Workday, we adopt an authentication mechanism using public-private key pairs. This approach uses SSL (Secure Socket Layer) technology, which establishes encrypted links between servers and clients, ensuring that all data transmitted remains private and secure. x509 certificates are a standard format for public key certificates, verifying the ownership of a cryptographic public key for secure communication. {% hint style="info" %} **Easier option:** You can generate the certificate and private key directly in Veza when configuring the Workday integration. Click **Generate & Download Certificate and Private Key** in the integration form. Veza downloads two files: a `workday-certificate.crt` public certificate and a `workday-certificate.pem` private key. The instructions below are for users who prefer to generate certificates manually or need to use a CA-signed certificate. {% endhint %} #### Why is this necessary? 1. **Security**: Public-private key pairs are the foundation of many cryptographic protocols, ensuring the confidentiality, authenticity, and integrity of data. 2. **Authentication**: Workday can verify that data received is genuinely from Veza, ensuring trusted communication. 3. **Non-repudiation**: Transactions signed with the private key can be proven to come from Veza. ### Installation #### Linux 1. Most Linux distributions include OpenSSL by default. If not: * Debian or Ubuntu: `sudo apt update && sudo apt install openssl` * Red Hat: `sudo yum install openssl` * Fedora: `sudo dnf install openssl` #### Mac 1. OpenSSL is included with macOS by default. If you need a specific version or updates: * Use [Homebrew](https://brew.sh/): `brew install openssl` #### Windows * OpenSSL Binary: * Download and install from [OpenSSL Binaries](https://wiki.openssl.org/index.php/Binaries). * Add OpenSSL's `bin` directory to your system's PATH. * Windows Subsystem for Linux (WSL): * Install [WSL](https://docs.microsoft.com/en-us/windows/wsl/install). * Run the Linux distribution and install OpenSSL using its package manager (e.g., `sudo apt install openssl` for Ubuntu). * Git Bash for Windows: * Install [Git for Windows](https://gitforwindows.org/), which includes Git Bash. * Use OpenSSL directly from the Git Bash terminal. * Package Manager for PowerShell: * Use a package manager like [Chocolatey](https://chocolatey.org/). After installing Chocolatey, run: `choco install openssl` Alternately, you can use the Microsoft Management Console (MMC): * Use the built-in MMC snap-in to manage certificates: 1. Press `Win + R`, type `mmc`, and press Enter. 2. File > Add/Remove Snap-in > Certificates > Add. 3. Follow the wizard to manage personal certificates and trusted root certificates. ### Generate Key Pairs with OpenSSL **1. Generate a Private Key:** * The private key is the foundation of your security protocol. Ensure it is secure and never exposed. Generate it with OpenSSL in PEM format: ```shell openssl genpkey -algorithm RSA -out private_key.pem ``` If you need additional security, encrypt the key file with a passphrase. Save the passphrase in a secure location: ```shell openssl rsa -aes256 -in private_key.pem -out encrypted_private_key.pem ``` During Veza integration configuration, you will upload this private key file and, if encrypted, enter its passphrase. **2. Generate a Certificate Signing Request (CSR):** * A CSR is a request for a certificate authority (CA) to validate and certify your public key. The CSR includes information such as your organization and domain. Generate the CSR: ```shell openssl req -new -key private_key.pem -out signing_request.csr ``` During the process, you'll be prompted to enter details like your organization and common name (CN). These are optional depending on your integration requirements. Post generation, you can either: * Submit the CSR to a trusted Certificate Authority for a signed certificate. * Create a self-signed certificate, which might not be trusted universally but is sufficient for testing or internal use. **3. Generate a Self-Signed Certificate:** * Using the CSR and private key, generate the certificate: ```shell openssl x509 -req -days 365 -in signing_request.csr -signkey private_key.pem -out your_cert.crt ``` In this example, `days` sets the length of time the certificate is valid for. Paste the contents of this certificate, which includes the public key, when configuring the API client registration in Workday. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/connectivity/openssl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.