YouTrack Standalone 2020.6 Help

Set Up SSL Keys for SAML 2.0

To use YouTrack as the Identity Provider with SAML, you must encrypt the connection between YouTrack and a Service Provider. You need to generate an SSL key and a certificate, pack them in a PKCS12 format file, and upload this keystore to YouTrack.

There are several tools that let you create SSL keys and certificates in PKCS12 format. We describe how to create SSL key with the OpenSSL toolkit.

To create an SSL keystore with OpenSSL:

  1. Generate a new 2048 bit RSA key with password protection:

    openssl genrsa -des3 -out YouTrack_SAML.key 2048

  2. Generate a certificate request for the generated key:

    openssl req -new -key YouTrack_SAML.key -out YouTrack_SAML.csr

  3. Generate a certificate:

    openssl x509 -req -days 365 -in YouTrack_SAML.csr -signkey YouTrack_SAML.key -out YouTrack_SAML.crt

  4. Package the key and the certificate in a PKCS12 file:

    openssl pkcs12 -export -out YouTrack_SAML.p12 -inkey YouTrack_SAML.key -in YouTrack_SAML.crt -certfile YouTrack_SAML.crt
    • You have a PKCS12 key store (YouTrack_SAML.p12 in the example) that is ready for upload to YouTrack.

To import the PKCS12 keystore to YouTrack:

  1. In the Server Settings section of the Administration menu, select SSL Keystores.

  2. Click the Import keystore button.

  3. In the sidebar, select the created .p12 key file, provide the password, and upload the keystore to YouTrack.

  4. In the Access Management section of the Administration menu, select SAML 2.0.

  5. Select the keystore in the SSL Key list on the Settings tab.

SAML SSL key added

YouTrack encrypts the connection with SAML Service Providers using the selected SSL Key. YouTrack also extracts and displays the SHA-256, SHA-1, and MD-5 Fingerprints of the certificate that is packed into the selected keystore.

A service provider may require any of these fingerprints to enable and configure SAML2.0 on its side.

Last modified: 30 March 2021