Certificates with OpenSSL

Generating Key Pairs for Workday Integration

To ensure secure communication between Veza and Workday, we adopt an authentication mechanism using public-private key pairs. This approach uses SSL (Secure Socket Layer) technology, which establishes encrypted links between servers and clients, ensuring that all data transmitted remains private and secure. x509 certificates are a standard format for public key certificates, verifying the ownership of a cryptographic public key for secure communication.

Why is this necessary?

1. Security: Public-private key pairs are the foundation of many cryptographic protocols, ensuring the confidentiality, authenticity, and integrity of data.

2. Authentication: Workday can verify that data received is genuinely from Veza, ensuring trusted communication.

3. Non-repudiation: Transactions signed with the private key can be proven to come from Veza.

Installation

Linux

1. Most Linux distributions include OpenSSL by default. If not:

   • Debian or Ubuntu: sudo apt update && sudo apt install openssl

   • Red Hat: sudo yum install openssl

   • Fedora: sudo dnf install openssl

Mac

1. OpenSSL is included with macOS by default. If you need a specific version or updates:

   • Use : brew install openssl

Windows

• OpenSSL Binary:

  • Add OpenSSL's bin directory to your system's PATH.

• Windows Subsystem for Linux (WSL):

  • Run the Linux distribution and install OpenSSL using its package manager (e.g., sudo apt install openssl for Ubuntu).

• Git Bash for Windows:

  • Use OpenSSL directly from the Git Bash terminal.

• Package Manager for PowerShell:

Alternately, you can use the Microsoft Management Console (MMC):

• Use the built-in MMC snap-in to manage certificates:

  1. Press Win + R, type mmc, and press Enter.

  2. File > Add/Remove Snap-in > Certificates > Add.

  3. Follow the wizard to manage personal certificates and trusted root certificates.

Generate Key Pairs with OpenSSL

1. Generate a Private Key:

• The private key is the foundation of your security protocol. Ensure it is secure and never exposed.

  Generate it with OpenSSL in PEM format:

  Copy

  openssl genpkey -algorithm RSA -out private_key.pem

  If you need additional security, encrypt the key file with a passphrase. Save the passphrase in a secure location:

  Copy

  openssl rsa -aes256 -in private_key.pem -out encrypted_private_key.pem

  During Veza integration configuration, you will upload this private key file and, if encrypted, enter its passphrase.

2. Generate a Certificate Signing Request (CSR):

• A CSR is a request for a certificate authority (CA) to validate and certify your public key. The CSR includes information such as your organization and domain.

  Generate the CSR:

  Copy

  openssl req -new -key private_key.pem -out signing_request.csr

  During the process, you'll be prompted to enter details like your organization and common name (CN). These are optional depending on your integration requirements.

  Post generation, you can either:

  • Submit the CSR to a trusted Certificate Authority for a signed certificate.

  • Create a self-signed certificate, which might not be trusted universally but is sufficient for testing or internal use.

3. Generate a Self-Signed Certificate:

• Using the CSR and private key, generate the certificate:

  Copy

  openssl x509 -req -days 365 -in signing_request.csr -signkey private_key.pem -out your_cert.crt

  In this example, days sets the length of time the certificate is valid for.

Paste the contents of this certificate, which includes the public key, when configuring the API client registration in Workday.