Certificate creation

You must purchase or create a digital signing certificate for your organization before you can get credentials. A certificate contains a public key that is generated from a private key. In order to make calls to the APIs, you package your account credentials in a JSON Web Token (JWT), and sign it with the private key. Adobe uses the public key to authenticate the request.       

You must upload the public-key portion of the certificate to Adobe and use the private key to sign the JWT that you create.  You must retain your private key and keep it secure. It cannot be recovered or replaced.

Adobe does not check for revocation or trust chains of the certificate. If you want to revoke a certificate that you have associated with a technical account, you must do so explicitly using the Developer Portal. When you have done so, you can no longer use any JWT signed with that certificate to gain access.

The files that contains the public and private keys, but especially the private key, contain sensitive information. You must protect them at least as well as you would protect an account name and password. The best practice is to store the key file in a credential management system or use a file system protection
so that it can only be accessed by authorized users.

Creating a self-signed certificate

You can create certificates in Windows with Cygwin, which includes openssl. In Mac OS, you can use the built-in command-line tool openssl. To create a certificate with the command-line tool, open a terminal window in Mac OS, or a Cygwin shell window in Windows, and run the platform-specific tool. In either case, the tool
creates a public key in a certificate (CRT) file, and a private key.

The openssl req command creates a private-key file and a certificate (CRT) file containing the public key. During the key-generation process, you are prompted to enter additional information to create a DN (Distinguished Name) for the public key. You can accept default values in some cases. To leave a field blank, enter "." (a dot character).

For example:

$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate_pub.crt Generating Generating a 2048 bit RSA private key ....................................................................................+++ ............................+++ writing new private key to 'private.key' -----

When the private key generation is complete, you see some instructions, and are prompted to enter DN information.

For example:

1. Country Name (2 letter code) [AU]: US 2. 3. State or Province Name (full name) [Some-State]: California 4. 5. Locality Name (eg, city) []: San Jose 6. 7. Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company 8. 9. Organizational Unit Name (eg, section) []: My Department 10. 11. Common Name (e.g. server FQDN or YOUR name) []: Jane Administrator 12. 13. Email Address []: j_admin@my_company.com

The certificate generated by this command expires in 1 year (365 days), at which point you can create a new one. You can make the period longer, but rotating
credentials periodically is a good security practice.

In this example, the new private key file is named "private.key". You use the private key to sign your JSON Web Token (JWT). The contents of the private-key file look something like this:  

1. -----BEGIN PRIVATE KEY----- 2. 3. MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDuRjXRJVYouxCl 4. 5. o5fMCikkjaEgaIN6hVqsyM8hzAXJkPglpB1tSwFy968+S/4YnLZ2sZs2WCM17oVX 6. 7. … 8. 9. ObGhwhcnvUoqweQ3rMlJH3nGVg== 10. 11. -----END PRIVATE KEY-----

The command also creates a new certificate file named "certificate_pub.crt" that contains the public key. You must upload the certificate to Adobe when you create your API key. The contents of the certificate file look something like this:  

1. -----BEGIN CERTIFICATE----- 2. 3. MIIEPTCCAyWgAwIBAgIJANU6Eel69NilMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD 4. 5. VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2Ux 6. 7. … 8. 9. 9ygguNdPe5SDGXueubbPVTEaee6mQamXhcnQ/1jQtNutUHJvwGng4MxLUkdim4/g 10. 11. pqNlSLSXS26Dwu6qkBBpxdKA02qSK4lcfDkQwNR+ClrE 12. 13. -----END CERTIFICATE-----

You can learn more about Open SSL and other command parameters here: https://www.openssl.org/docs/man1.0.2/apps/req.html.