Certificate Store

• Overview
• Configuring a Certificate and Private Key
• X.509 Certificate
• Private Key
• Global Options

Overview

For the Enterprise Gateway to trust X.509 certificates issued by a specific Certificate Authority (CA), you must import that CA's certificate into the Enterprise Gateway's Trusted Certificate Store. For example, if the Enterprise Gateway is to trust secure communications (SSL connections or XML Signature) from an external SAML Policy Decision Point (PDP), you must import the PDP's certificate or the issuing CA's certificate into the Enterprise Gateway.

Configuring a Certificate and Private Key

To view the list of certificates stored in the Certificate Store, click the Certificates tab on the left of the Policy Studio. The certificates are listed in a table in the main panel of the Policy Studio.

To create a certificate and private key, click the Create/Import button on the Certificates screen in the Policy Studio. The Configure Certificate and Private Key dialog is displayed. The next sections explain how to use this dialog.

X.509 Certificate

The following configuration options are available on the X.509 Certificate tab:

• Subject:
  Click the Edit button to configure the Distinguished Name (DName) of the subject.
• Public Key:
  Click the Import button to import the subject's public key (usually from a PEM or DER-encoded file).
• Version:
  This read-only field displays the X.509 version of the certificate.
• Issuer:
  This read-only field displays the distinguished name of the CA that issued the certificate.
• Validity Period:
  The dates specified here define the validity period of the certificate.
• Alias Name:
  This mandatory field enables you specify a friendly name (or alias) for the certificate.
• Use Distinguished Name:
  Select this option to view the DName of the certificate in the text box instead of the certificate alias.
• Import Certificate:
  Click this button to import a certificate from a file.
• Export Certificate:
  Use this option to export the certificate to a file.
• Sign Certificate:
  Click this button to sign the certificate. The certificate can either be self-signed, or it can be signed by the private key belonging to a trusted CA whose key pair has been stored in the Certificate Store.

Private Key

Use the Private Key tab to configure details of the private key. By default, private keys are stored locally in the Certificate Store. They can also be stored on a Hardware Security Module (HSM), if required.

Private Key Stored Locally:
Select the Private key stored locally radio button. The following configuration options are available for keys that are stored locally in the Certificate Store:

• Private Key:
  This read-only field displays details of the private key.
• Import Private Key:
  Click the Import Private Key button to import the subject's private key (usually from a PEM or DER-encoded file).
• Export Private Key:
  Click this button to export the subject's private key to a PEM or DER-encoded file.

Private key stored on HSM:
If the private key that corresponds to the public key stored in the certificate resides on a HSM, select the Private key stored on HSM radio button. Configure the following fields to associate a key stored on a HSM with the current certificate:

• Engine Name:
  Enter the name of the OpenSSL Engine to use to interface to the HSM. All vendor implementations of the OpenSSL Engine API are identified by a unique name. Please refer to your vendor's HSM or OpenSSL Engine implementation documentation to find out the name of the engine.
• Key ID:
  The value entered is used to uniquely identify a specific private key from all others that may be stored on the HSM. On completion of the dialog, this private key will be associated with the certificate that you are currently editing.

Global Options

The following global configuration options apply to both the X.509 Certificate and Private Key tabs:

• Import Certificate + Key:
  Use this option to import a certificate and a key from a file.
• Export Certificate + Key:
  Use this option to export a certificate and a key to a file.

Click OK when you have finished configuring the certificate and/or private key.

Managing certificates
On the main Certificates screen, you can edit an existing certificate using the Edit button. You can also view the details of an existing certificate using the View button. Similarly, you can remove a certificate from the Certificate Store using the Remove button.

You can also export a certificate to a Java keystore. You can do this by selecting the certificate in the table, and then clicking the Export to Keystore button. Choose the name and location of the new keystore file, and enter a passphrase for this keystore when prompted.

Similarly, you can import certificates and keys from a Java keystore into the Certificate Store. To do this, click the Keystore button on the main Certificates screen. On the Keystore screen, browse to the location of the keystore by clicking the button beside the Keystore field.

The certificates/keys in the keystore are listed in the table. To import any of these keys to the Certificate Store, select the box next to the certificate or key that you want to import, and then click the Import to Trusted Certificate Store button. If the key is protected by a password, you are prompted for this password.

You can also use the Keystore screen to view and remove existing entries in the keystore. You can also add keys to the keystore and to create a new keystore. Use the appropriate button to perform any of these tasks.