You need to create a root certificate, as well as a user certificate for the components of the user identity service.
You can create the necessary certificates using a certification authority or on your own using the OpenSSL and keytool utilities.
To create certificates using the OpenSSL and keytool utilities:
mkdir ssl
cd ssl
ca_key.pem by running the following command:openssl genpkey -algorithm RSA -out ca_key.pem -pkeyopt rsa_keygen_bits:4096
ca.pem and sign it with the generated key by running the following command:openssl req -x509 -new -key ca_key.pem \
-subj "<certificate parameters>" \
-addext "basicConstraints=critical,CA:TRUE" \
-addext "keyUsage=critical,keyCertSign" \
-days 3650 -out ca.pem
keytool -import -file ca.pem -alias ca -keystore ca.p12
uaws_key.pem by running the following command:openssl genpkey -algorithm RSA -out uaws_key.pem -pkeyopt rsa_keygen_bits:4096
uaws.pem and sign it with the generated key and root certificate by running the following command:openssl req -x509 -new -key uaws_key.pem \
-subj "<certificate parameters>" \
-addext "subjectAltName=DNS:collector,DNS:collector.<Microsoft Active Directory domain>,DNS:mapapp,DNS:mapapp.<Microsoft Active Directory domain>,DNS:groupapp,DNS:groupapp.<Microsoft Active Directory domain>,DNS:uaws,DNS:uaws.<Microsoft Active Directory domain>" \
-addext "basicConstraints=critical,CA:FALSE" \
-CA ca.pem \
-CAkey ca_key.pem \
-out uaws.pem \
-days 365
openssl pkcs12 -export -in uaws.pem -out uaws.p12 -name collector -inkey uaws_key.pem