Encrypted and encoded XML representation of X.509 Certificate for SAML metadata

Question

I order to set up SSO and function as Service Provider with my Identity Provider I need to specify which certificate I want to use for signing and encrypting in the exchanged metadata XML file. But how do I create the encrypted and encoded representation (like below) of my certificate so it can be put into the XML. What process do I need to go through here?

   <q1:KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
         <X509Data>
            <X509Certificate>MIICZDCCAdGg.....IQ0jOz8mmZToZD7ab9==</X509Certificate>
         </X509Data>
      </KeyInfo>
   </q1:KeyDescriptor>
   <q1:KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
         <X509Data>
            <X509Certificate>MIICZDCCAdGg......IQ0jOz8mmZToZD7ab==</X509Certificate>
         </X509Data>
      </KeyInfo>
   </q1:KeyDescriptor>

Answer 1

The body of <X509Certificate> is the DER-encoded data of X509 certificate. Since the datatype is base64Binary, it needs to be Base64-encoded.

-----BEGIN CERTIFICATE-----
MIIDijCCAnICCQDXfWAafSjGzDANBgkqhkiG9w0BAQQFADCBhjELMAkGA1UEBhMC
...
meTdn90sElH+yhWNRi6XtXirsTjDXQhudWWJ8r5NPkTBE7lDtg+6SBfDCrWFsw==
-----END CERTIFICATE-----

It's the same stuff in PEM file between the header and footer. If you get the certificate from CA, it's normally in PEM format already. If not, you can use OpenSSL or Java Keytool to convert it.