# Server certificate management

There are two options for certificate management

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>The easiest, fast and cheap one: Do not create any public or private key, nor enter any certificate chain. At first start up, Soffid Identity Provider will generate a new public/private key pair. Using this key, Soffid IdP will create a self-signed certificate and will store it on the certificate chain field.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>The secure one:

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.1. </span>Create a public/private key.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.2. </span>Generate a PKCS#10 file. Use this file to ask for a certificate to a well known certificate authority.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.3. </span>After some paper work, the certificate authority will give you a valid certificate.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.4. </span>The certificate can be in PEM or DER format. If it's in PEM format, it will start with a line saying

\------BEGIN CERTIFICATE ----  
In such a case, just paste its contents on certificate chain field.  
If it's in binary DER format, you can use openssl to convert it from PEM to DER:  
<span style="color: #0000ff;">openssl x509 -in &lt;DER-FILE&gt; -inform DER -out &lt;PEM-FILE&gt; -outform PEM</span>  
Sometimes your CA will give you a base64 encoded DER file. In such a case, convert it to PEM using:  
<span style="color: #0000ff;">openssl base64 -d &lt;DEF-FILE&gt; | openssl x509 -inform DER -out &lt;PEM-FILE&gt; -outform PEM</span>