Certificate Store

Contents

Overview

In order for the Enterprise Gateway to trust X.509 certificates issued by a particular CA (Certificate Authority), it is necessary to import that CA's certificate into the Enterprise Gateway's Trusted Certificate Store. For example, if the Enterprise Gateway is to trust secure communications (i.e. SSL connections or XML Signature) from an external SAML PDP (Policy Decision Point), it would be necessary to import either the PDP's certificate itself, or the issuing CA's certificate into the Enterprise Gateway.

Configuration

To view the list of certificates stored in the Certificate Store, click on the Certificates item in the tree view on the left-hand side of the Policy Studio. The certificates are listed in a table in the main panel of the Policy Studio.

To create a certificate and private key, click the Create button on the Certificates screen of the Policy Studio. The Configure Certificate and Private Key dialog is displayed.

X.509 Certificate Tab:

The following configuration options are available on this tab:

  • Subject:
    Click the Edit button to configure the distinguished name of the subject.
  • Public Key:
    Click the Import button to import the subject's public key (usually from a PEM- or DER-encoded file).
  • Version:
    This read-only field displays the X.509 version of the certificate.
  • Issuer:
    This read-only field displays the distinguished name of the CA that issued the certificate.
  • Validity Period:
    The dates specified here define the validity period of the certificate.
  • Alias Name:
    This mandatory field allows the user to specify a friendly name (or alias) for the certificate.
  • Use Distinguished Name:
    Check this option to view the DName of the certificate in the text box instead of the certificate alias.
  • Import Certificate:
    Click this button to import a certificate from a file.
  • Export Certificate:
    Use this option to export the certificate to a file.
  • Sign Certificate:
    Click this button to sign the certificate. The certificate can either be self-signed, or it can be signed by the private key belonging to a trusted CA whose key pair has been stored in the Certificate Store.

Private Key Tab:

Use the Private Key tab to configure details of the private key. By default, private keys are stored locally in the Certificate Store. They can also be stored on a HSM (Hardware Security Module), if required.

Private Key Stored Locally:
Select the Private key stored locally radio button. The following configuration options are available for keys that are stored locally in the Certificate Store:

  • Private Key:
    This read-only field displays details of the private key.
  • Import Private Key:
    Click the Import Private Key button to import the subject's private key (usually from a PEM- or DER-encoded file).
  • Export Private Key:
    Click this button to export the subject's private key to a PEM- or DER-encoded file.

Private key stored on HSM:
If the private key that corresponds to the public key stored in the certificate resides on a HSM, you should select the Private key stored on HSM radio button. Configure the following fields to associate a key stored on a HSM with the current certificate:

Global Options:

The following global configuration options apply to both the X.509 Certificate and Private Key tabs:

  • Import Certificate + Key:
    Use this option to import a certificate and a key from a file.
  • Export Certificate + Key:
    Use this option to export a certificate and a key to a file.

Click the OK button when you have finished configuring the certificate and/or private key.

Managing certificates
On the main Certificates screen, you can edit an existing certificate using the Edit button. You can also view the details of an existing certificate using the View button. Similarly, you can remove a certificate from the Certificate Store using the Remove button.

You can also export a certificate to a Java keystore. You can do this by selecting the certificate in the table, and then clicking the Export to Keystore button. Choose the name and location of the new keystore file, and enter a passphrase for this keystore when prompted.

Similarly, you can import certificates and keys from a Java keystore into the Certificate Store. To do this, click the Keystore button on the main Certificates screen. On the Keystore screen, browse to the location of the keystore by clicking the button beside the Keystore field.

The certificates/keys in the keystore are listed in the table. To import any of these keys to the Certificate Store, simply check the box next to the certificate or key that you want to import, and then click the Import to Trusted Certificate Store button. If the key is protected by a password, you are prompted for this password.

You can also use the Keystore screen to view and remove existing entries in the keystore. You can also add keys to the keystore and to create a new keystore. Use the appropriate button to perform any of these tasks.