Create a Private Key and Self-Signed Digital Certificate

Authorizing an org with the org login jwt command requires a digital certificate and the private key used to sign the certificate. We highly recommend that you use your own private key and certificate issued by a certification authority. You can also use OpenSSL to create a key and a self-signed digital certificate, just to get started. Using a private key and certificate is optional when you authorize an org by logging into a browser.

The steps in this topic are for sample purposes only. You can use the generated key and certificate to get started, but check with your company's security policies before you use either of them in a production environment.

Warning

This process produces two files:

  • server.key—The private key. You specify this file when you authorize an org with the org login jwt command.
  • server.crt—The digital certificate. You upload this file when you create the required external client app or connected app.
  1. Open a terminal (macOS and Linux) or command prompt (Windows).
  2. If necessary, install OpenSSL on your computer.
    To check whether OpenSSL is installed on your computer, run the which command on macOS or Linux or the where command on Windows.
    1which openssl
  3. Create a directory for storing the generated files, and change to the directory.
    1mkdir /Users/jdoe/JWT
    1cd /Users/jdoe/JWT
  4. Generate a private key, and store it in a file called server.key.
    1openssl genpkey -aes-256-cbc -algorithm RSA -pass pass:SomePassword -out server.pass.key -pkeyopt rsa_keygen_bits:2048
    1openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
  5. Generate a certificate signing request by using the server.key file. Store the certificate signing request in a file called server.csr. Enter information about your company when prompted.
    1openssl req -new -key server.key -out server.csr
  6. Generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt.
    1openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
Now create a external client app and upload the digital certificate to it. If you're authorizing a Dev Hub and you plan to create scratch orgs or sandboxes later with the org create scratch|sandbox commands, then you must create a connected app instead.