Salesforce DX Developer Guide

How Salesforce Developer Experience Changes the Way You Work
Enable Dev Hub Features in Your Org
Project Setup
Authorization
Authorize an Org Using the Web Server Flow
Authorize an Org Using the JWT Bearer Flow
Create a Private Key and Self-Signed Digital Certificate
Create a Connected App for Your Dev Hub Org
Use an Existing Access Token instead of Authorizing
Authorization Information for an Org
Log Out of an Org
Metadata Coverage
Scratch Orgs
Sandboxes
Track Changes Between Your Project and Org
Development
Build and Release Your App
First-Generation Managed Packages
Second-Generation Managed Packages
Unlocked Packages
Continuous Integration
Troubleshoot Salesforce DX
Limitations for Salesforce DX
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Create a Private Key and Self-Signed Digital Certificate

The OAuth 2.0 JWTbearer authorization flow requires a digital certificate and the private key used to sign the certificate. You upload the digital certificate to the custom connected app that is also required for the JWT bearer authorization flow. You can use your own private key and certificate issued by a certification authority. Alternatively, you can use OpenSSL to create a key and a self-signed digital certificate.

This process produces two files.

  • server.key—The private key. You specify this file when you authorize an org with the auth:jwt:grant command.
  • server.crt—The digital certification. You upload this file when you create the connected app required by the JWT bearer flow.
  1. If necessary, install OpenSSL on your computer.
    To check whether OpenSSL is installed on your computer, run this command.
    1which openssl
  2. In Terminal or a Windows command prompt, create a directory to store the generated files, and change to the directory. 
    1mkdir /Users/jdoe/JWT
    1cd /Users/jdoe/JWT
  3. Generate a private key, and store it in a file called server.key. 
    1openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048
    1openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
    You can delete the server.pass.key file because you no longer need it.
  4. Generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr. Enter information about your company when prompted. 
    1openssl req -new -key server.key -out server.csr
  5. Generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt. 
    1openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt