Manage certificates and keys

Contents

Overview
View certificates and private keys
Configure an X.509 certificate
Configure a private key
Global options
Manage certificates and keystores
Configure key pairs
Configure PGP key pairs

Overview

For API Gateway to trust X.509 certificates issued by a specific Certificate Authority (CA), you must import that CA's certificate into the API Gateway's trusted certificate store. For example, if API Gateway is to trust secure communications (SSL connections or XML Signature) from an external SAML Policy Decision Point (PDP), you must import the PDP's certificate, or the issuing CA's certificate into the API Gateway's certificate store.

In addition to importing CA certificates, you can also import and create server certificates and private keys in the certificate store. You can also import and create public-private key pairs. For example, these can be used with the Secure Shell (SSH) File Transfer Protocol (SFTP) or with Pretty Good Privacy (PGP).

View certificates and private keys

To view the lists of certificates and private keys stored in the certificate store, select Certificates and Keys > Certificates in the tree on the left of the Policy Studio. The certificates and keys are listed on the following tabs in the Certificates window on the right:

  • Certificates with Keys: Server certificates with associated private keys.

  • Certificates: Server certificates without any associated private keys.

  • CA: Certification Authority certificates with associated public keys.

You can search for a specific certificate or key by entering a search string in the text box at the top of each tab, which automatically filters the tree.

Configure an X.509 certificate

Create a certificate
Import certificates
Bind to a certificate at runtime

To create a certificate and private key, click the Create/Import button. The Configure Certificate and Private Key dialog is displayed. This section explains how to use the X.509 Certificate tab on this dialog.

Create a certificate

Configure the following settings to create a certificate:

  • Subject:

    Click the Edit button to configure the Distinguished Name (DName) of the subject.

  • Alias Name:

    This mandatory field enables you specify a friendly name (or alias) for the certificate. Alternatively, you can click Use Subject button to add the DName of the certificate in the text box instead of a certificate alias.

  • Public Key:

    Click the Import button to import the subject's public key (usually from a PEM or DER-encoded file).

  • Version:

    This read-only field displays the X.509 version of the certificate.

  • Issuer:

    This read-only field displays the distinguished name of the CA that issued the certificate.

  • Choose Issuer Certificate:

    Select this setting if you wish to explicitly specify an issuer certificate for this certificate (for example, to avoid a potential clash or expiry issue with another certificate using the same intermediary certificate). You can then click the button on the right to select an issuer certificate. This setting is not selected by default.

  • Validity Period:

    The dates specified here define the validity period of the certificate.

  • Sign Certificate:

    You must click this button to sign the certificate. The certificate can be self-signed, or signed by the private key belonging to a trusted CA whose key pair is stored in the certificate store.

Import certificates

You can use the following buttons to import or export certificates into the certificate store:

  • Import Certificate:

    Click this button to import a certificate (for example, from a .pem or .der file).

  • Export Certificate:

    Use this option to export the certificate (for example, to a .pem or .der file).

Bind to a certificate at runtime

Alternatively, when configuring an HTTPS interface, you can also specify a certificate to bind to at runtime. In the Configure HTTPS Interface dialog, click X.509 Certficate, and select Bind the Certificate at runtime. For example, you can enter ${env.serverCertificate}, and enter the certificate as an environment variable in the envSettings.props file.

For more details on specifying environment variables, see the Deployment and Promotion Guide.

Configure a private key

Use the Private Key tab to configure details of the private key. By default, private keys are stored locally in the certificate store. They can also be stored on a Hardware Security Module (HSM), if required.

Private Key Stored Locally:

Select the Private key stored locally radio button. The following configuration options are available for keys that are stored locally in the certificate store:

  • Private Key:

    This read-only field displays details of the private key.

  • Import Private Key:

    Click the Import Private Key button to import the subject's private key (usually from a PEM or DER-encoded file).

  • Export Private Key:

    Click this button to export the subject's private key to a PEM or DER-encoded file.

Private key stored on HSM:

If the private key that corresponds to the public key stored in the certificate resides on a HSM, select the Private key stored on HSM radio button. Configure the following fields to associate a key stored on a HSM with the current certificate:

  • Engine Name:

    Enter the name of the OpenSSL Engine to use to interface to the HSM. All vendor implementations of the OpenSSL Engine API are identified by a unique name. Please refer to your vendor's HSM or OpenSSL Engine implementation documentation to find out the name of the engine.

  • Key Id:

    The value entered is used to uniquely identify a specific private key from all others that may be stored on the HSM. On completion of the dialog, this private key is associated with the certificate that you are currently editing. Private keys are identified by their key Id by default.

  • Use Public Key:

    Select this option if the HSM allows identifying a specific private key based on its associated public key, instead of using the private key Id. This option is not selected by default.

  • Conversation:

    If the HSM requires the server to provide a specific response to a specific request from the HSM, you can enter the response in this field. This enables the server to conduct an automated dialog with a HSM when it requires access to a private key. For example, in a simple case, the server response might be a specific passphrase. For more details,

Global options

The following global configuration options apply to both the X.509 Certificate and Private Key tabs:

  • Import Certificate + Key:

    Use this option to import a certificate and a key (for example, from a .p12 file).

  • Export Certificate + Key:

    Use this option to export a certificate and a key (for example, to a .p12 file).

Click OK when you have finished configuring the certificate and/or private key.

Manage certificates and keystores

Export certificates to a keystore

On the main Certificates window, you can click the Edit button to edit an existing certificate. You can also click the View button to view the more detailed information on an existing certificate. Similarly, you can click the Remove button to remove a certificate from the certificate store.

Export certificates to a keystore

You can also export a certificate to a Java keystore. You can do this by clicking the Keystore button on the main Certificates window. Click the browse button at beside the Keystore field at the top right to open an existing keystore, or click New Keystore to create a new keystore. Choose the name and location of the keystore file, and enter a passphrase for this keystore when prompted. Click the Export to Keystore button and select a certificate to export.

Similarly, you can import certificates and keys from a Java keystore into the certificate store. To do this, click the Keystore button on the main Certificates window. On the Keystore window, browse to the location of the keystore by clicking the button beside the Keystore field. The certificates/keys in the keystore are listed in the table. To import any of these keys to the certificate store, select the box next to the certificate or key that you want to import, and click the Import to Trusted certificate store button. If the key is protected by a password, you are prompted for this password.

You can also use the Keystore window to view and remove existing entries in the keystore. You can also add keys to the keystore and to create a new keystore. Use the appropriate button to perform any of these tasks.

Configure key pairs

Add a key pair
Manage OpenSSH keys

To configure public-private key pairs in the certificate store, select Certificates and Keys > Key Pairs. The Key Pairs window enables you to add, edit, or delete OpenSSH public-private key pairs, which are required for the Secure Shell (SSH) File Transfer Protocol (SFTP).

Add a key pair

To add a public-private key pair, click the Add button on the right, and configure the following settings in the dialog:

  • Alias:

    Enter a unique name for the key pair.

  • Algorithm:

    Enter the algorithm used to generate the key pair. Defaults to RSA.

  • Load:

    Click the Load buttons to select the public key and/or private key files to use. The Fingerprint field is auto-populated when you load a public key.

[Note] Note

The keys must be OpenSSH keys. RSA keys are supported, but DSA keys are not supported. The keys must not be passphrase protected.

Manage OpenSSH keys

You can use the ssh-keygen command provided on UNIX to manage OpenSSH keys. For example:

  • The following command creates an OpenSSH key:

    ssh-keygen -t rsa

  • The following command converts an ssh.com key to an OpenSSH key:

    ssh-keygen -i -f ssh.com.key > open.ssh.key

  • The following command removes a passphrase (enter the old passphrase, and enter nothing for the new passphrase):

    ssh-keygen -p

  • The following command outputs the key fingerprint:

    ssh-keygen -lf ssh_host_rsa_key.pub

Edit a key pair

To edit a public-private key pair, select a key pair alias in the table, and click the Edit button on the right. For example, you can load a different public key and/or private key. Alternatively, double-click a key pair alias in the table to edit it.

Delete key pairs

You can delete a selected key pair from the certificate store by clicking the Remove button on the right. Alternatively, click the Remove All button.

Configure PGP key pairs

Add a PGP key pair
Manage PGP keys

To configure Pretty Good Privacy (PGP) key pairs in the certificate store, select Certificates and Keys > PGP Key Pairs. The PGP Key Pairs window enables you to add, edit, or delete PGP public-private key pairs.

Add a PGP key pair

To add a PGP public-private key pair, click the Add button on the right, and configure the following settings in the dialog:

  • Alias:

    Enter a unique name for the PGP key pair.

  • Load:

    Click the Load buttons to select the public key and/or private key files to use.

[Note] Note

The PGP keys added must not be passphrase protected.

Manage PGP keys

You can use the freely available GNU Privacy Guard (GnuPG) tool to manage PGP key files (available from http://www.gnupg.org/). For example:

  • The following command creates a PGP key:

    gpg --gen-key

    For more details, see http://www.seas.upenn.edu/cets/answers/pgp_keys.html

  • The following command enables you to view the PGP key:

    gpg -a --export

  • The following command exports a public key to a file:

    gpg --export -u 'UserName' -a -o public.key

  • The following command exports a private key to a file:

    gpg --export-secret-keys -u 'UserName' -a -o private.key

  • The following command lists the private keys:

    gpg --list-secret-keys

Edit a PGP key pair

To edit a PGP key pair, select a key pair alias in the table, and click the Edit button on the right. For example, you can load a different public key and/or private key. Alternatively, double-click a key pair alias in the table to edit it.

Delete PGP key pairs

You can delete a selected PGP key pair from the certificate store by clicking the Remove button on the right. Alternatively, click the Remove All button.

Prev  Up  Next
  Home