Overview
|
For the Enterprise Gateway to trust X.509 certificates issued by a specific Certificate
Authority (CA), you must import that CA's certificate into the Enterprise Gateway's trusted
Certificate Store. For example, if the Enterprise Gateway is to trust secure communications
(SSL connections or XML Signature) from an external SAML Policy Decision Point (PDP),
you must import the PDP's certificate, or the issuing CA's certificate into the
Enterprise Gateway's Certificate Store.
In addition to importing CA certificates, you can also import and create server
certificates and private keys in the Certificate Store. You can also import and
create public-private key pairs. For example, these are required for use with the
Secure Shell (SSH) File Transfer Protocol (SFTP).
|
Viewing Certificates and Private Keys
|
To view the lists of certificates and private keys stored in the Certificate Store,
select Certificates and Keys -> Certificates in
the tree on the left of the Policy Studio. The certificates and keys are listed on
the following tabs in the Certificates screen on the right:
-
Certificates with Keys: Server certificates with
associated private keys.
-
Certificates: Server certificates without any
associated private keys.
-
CA: Certification Authority certificates with
associated public keys.
You can search for a specific certificate or key by entering a search string in
the text box at the top of each tab, which automatically filters the tree.
|
Configuring an X.509 Certificate
|
To create a certificate and private key, click the Create/Import
button. The Configure Certificate and Private Key dialog is
displayed. This section explains how to use the X.509 Certificate
tab on this dialog.
Creating a Certificate
Configure the following settings to create a certificate:
-
Subject:
Click the Edit button to configure the
Distinguished Name (DName) of the subject.
-
Alias Name:
This mandatory field enables you specify a friendly name (or alias) for
the certificate. Alternatively, you can click Use Subject
button to add the DName of the certificate in the text box instead of a
certificate alias.
-
Public Key:
Click the Import button to import the subject's
public key (usually from a PEM or DER-encoded file).
-
Version:
This read-only field displays the X.509 version of the certificate.
-
Issuer:
This read-only field displays the distinguished name of the CA that
issued the certificate.
-
Choose Issuer Certificate:
Select this setting if you wish to explicitly specify an issuer certificate
for this certificate (for example, to avoid a potential clash or expiry issue
with another certificate using the same intermediary certificate). You can then
click the button on the right to select an issuer certificate. This setting is
not selected by default.
-
Validity Period:
The dates specified here define the validity period of the
certificate.
-
Sign Certificate:
You must click this button to sign the certificate. The certificate can
be self-signed, or signed by the private key belonging to a trusted CA
whose key pair is stored in the Certificate Store.
Importing Certificates
You can use the following buttons to import or export certificates into the
Certificate Store:
-
Import Certificate:
Click this button to import a certificate (for example, from a
.pem or .der file).
-
Export Certificate:
Use this option to export the certificate (for example, to a
.pem or .der file).
|
Configuring a Private Key
|
Use the Private Key tab to configure details of the
private key. By default, private keys are stored locally in the
Certificate Store. They can also be stored on a Hardware Security
Module (HSM), if required.
Private Key Stored Locally:
Select the Private key stored locally radio button.
The following configuration options are available for keys that are
stored locally in the Certificate Store:
-
Private Key:
This read-only field displays details of the private key.
-
Import Private Key:
Click the Import Private Key button to import
the subject's private key (usually from a PEM or DER-encoded
file).
-
Export Private Key:
Click this button to export the subject's private key to a PEM
or DER-encoded file.
Private key stored on HSM:
If the private key that corresponds to the public key stored in the
certificate resides on a HSM, select the Private key stored
on HSM radio button. Configure the following fields to
associate a key stored on a HSM with the current certificate:
-
Engine Name:
Enter the name of the OpenSSL Engine to use to interface to the HSM.
All vendor implementations of the OpenSSL Engine API are identified
by a unique name. Please refer to your vendor's HSM or OpenSSL
Engine implementation documentation to find out the name of the
engine.
-
Key Id:
The value entered is used to uniquely identify a specific private
key from all others that may be stored on the HSM. On completion of
the dialog, this private key is associated with the certificate that
you are currently editing. Private keys are identified by their key
Id by default.
-
Use Public Key:
Select this option if the HSM allows identifying a specific private key
based on its associated public key, instead of using the private key Id.
This option is not selected by default.
-
Conversation:
If the HSM requires the server to provide a specific response to a specific
request from the HSM, you can enter the response in this field. This enables
the server to conduct an automated dialog with a HSM when it requires access
to a private key. For example, in a simple case, the server response might
be a specific passphrase. For more details, see the topic on
Cryptographic
Acceleration Conversation: Request-Response.
|
Global Options
|
The following global configuration options apply to both the
X.509 Certificate and Private Key tabs:
-
Import Certificate + Key:
Use this option to import a certificate and a key (for example,
from a .p12 file).
-
Export Certificate + Key:
Use this option to export a certificate and a key (for example,
to a .p12 file).
Click OK when you have finished configuring the certificate
and/or private key.
|
Managing Certificates and Keys
|
On the main Certificates screen, you can click the
Edit button to edit an existing certificate. You can also
click the View button to view the more detailed information
on an existing certificate. Similarly, you can click the Remove
button to remove a certificate from the Certificate Store.
Java Keystore
You can also export a certificate to a Java keystore. You can do this by clicking
the Keystore button on the main Certificates
screen. Click the browse button at beside the Keystore field at
the top right to open an existing keystore, or click New Keystore
to create a new keystore. Choose the name and location of the keystore file, and
enter a passphrase for this keystore when prompted. Click the Export to
Keystore button and select a certificate to export.
Similarly, you can import certificates and keys from a Java keystore into the
Certificate Store. To do this, click the Keystore button on
the main Certificates screen. On the Keystore
screen, browse to the location of the keystore by clicking the button beside the
Keystore field. The certificates/keys in the keystore are listed
in the table. To import any of these keys to the Certificate Store, select the
box next to the certificate or key that you want to import, and click the
Import to Trusted Certificate Store button. If the key is
protected by a password, you are prompted for this password.
You can also use the Keystore screen to view and remove
existing entries in the keystore. You can also add keys to the keystore
and to create a new keystore. Use the appropriate button to perform any
of these tasks.
|
Configuring Key Pairs
|
To configure the public-private key pairs stored in the Certificate Store, select
Certificates and Keys -> Key Pairs. The Key
Pairs screen enables you to add, edit, or delete public-private key pairs (for
example, those required for SFTP).
Adding a Key Pair
To add a public-private key pair, click the Add button on the right,
and configure the following settings in the dialog:
-
Alias:
Enter a unique name for the key pair.
-
Algorithm:
Enter the algorithm used to generate the key pair. Defaults to RSA .
-
Load:
You can click the Load buttons to manually select the public
key and/or private key files to use. The Fingerprint field
is auto-populated when you load a public key.
Note:
The public and private keys must be OpenSSH keys. RSA keys are supported, and DSA
keys are not supported. The keys must not be passphrase protected.
Managing OpenSSH Keys
You can use the ssh-keygen command provided on UNIX to manage OpenSSH
keys. For example:
- The following command creates an OpenSSH key:
ssh-keygen -t rsa
- The following command converts an
ssh.com key to an OpenSSH key:
ssh-keygen -i -f ssh.com.key > open.ssh.key
- The following command removes a passphrase (enter the old passphrase
and enter nothing for the new passphrase):
ssh-keygen -p
- The following command outputs the key fingerprint:
ssh-keygen -lf ssh_host_rsa_key.pub
Editing a Key Pair
To edit a public-private key pair, select a key pair alias in the table, and click the
Edit button on the right. For example, you can load a different public
key and/or private key. Alternatively, double-click a key pair alias in the table to
edit it.
Deleting Key Pairs
You can delete key pairs from the Certificate Store by clicking the Remove
or Remote All button on the right.
|
|