Understanding Digital Certificates

This section provides an overview of :

Digital certificates.
Digital certificate authorities.
Digital certificate installation elements.

A digital certificate is a form of electronic ID card that supports public key encryption technology. Each messaging participant generates a matched pair of encryption keys—a private key, which is never revealed or transmitted, and a public key, which is freely available to other participants. These keys are stored in a local file or repository called a keystore, and the public key is stored as part of a digital certificate. The certificate can be attached to a service operation to verify the sender's identity and to provide the recipient with the means to encode a response.

The following table lists the security technologies that require digital certificates and the digital certificate installation location for each of them. The table also lists the section in this topic that discusses installing digital certificates for each of the technologies:

Security Technology	Digital Certificate Installation Location	Section Describing How to Install Digital Certificates	Comments
SSL/TLS encryption.	Web server.	Setting Up Web Server SSL/TLS Encryption.	Secures web server-to-web server connections.
WS-Security.	Integration gateway.	Installing Integration Gateway-Based Digital Certificates.	Secures web server-to-web server connections.
Client authentication.	Integration gateway.	Installing Integration Gateway-Based Digital Certificates.	Secures application server-to-integration connections.
Nonrepudiation.	Application server.	Installing Application Server-Based Digital Certificates.	Authenticates sender and receiver.
Certificated-based node authentication.	Application server.	Installing Application Server-Based Digital Certificates.	Authenticates sender.

A certificate authority (CA) is a trusted third-party organization or company that issues digital certificates used to create digital signatures and encryption keys. The role of the CA in this process is to guarantee the identity of the party granted the certificate. Usually, this means that the CA has an arrangement with a financial institution that provides information to validate the grantee's identity.

To install digital certificates for secure messaging, you must select a CA from whom to obtain the certificates. There are many CAs to choose from, and most of them do business on the World Wide Web. Some of the best known are:

Verisign, Inc.
Entrust Technologies.
Baltimore Technologies.
Thawte.

There are also numerous lesser known CAs, which might be appropriate if they are well known in a particular geographical region or industry. One of the systems participating in a secure integration might even serve as CA for the other participants. Each CA provides a unique set of security services and has its own way of handling digital certificates.

Before you implement secure messaging with PeopleSoft Integration Broker, investigate the available CAs, select one or more from whom you will obtain digital certificates, and familiarize yourself with their policies and procedures.

Whether you implement digital signature authentication, nonrepudiation, or SSL encryption, you need to use digital certificates. Although these security features require you to use a variety of programs and procedures, some characteristics of digital certificates—including the process of obtaining, installing, and configuring them—are common to all three features.

Depending on the security feature, you might install digital certificates in the keystore of an application server, a web server, or an integration gateway. An implementation of digital certificates on each of these entities involves the following elements:

The entity's private and public encryption keys.
A distinguished name (DN) for the entity.
A certificate signing request (CSR).
A certificate containing the entity's public encryption key, signed by a trusted CA.
A root certificate from the trusted CA.

The following sections discuss these elements in more detail.

Public and Private Encryption Keys

For a given keystore, you generate private and public encryption keys simultaneously as a matching pair with software provided by the entity.

DN for the Entity

A DN is a property commonly used in security environments to uniquely identify a person, system, or network node. The DN is usually stored as a string of name-value attribute pairs separated by commas and spaces. You must provide the DN attribute values to generate a private key. These attributes include:

Field or Control	Definition
Common name (CN)	The name of the entity, expressed as a machine name, domain name, node name, or a name that you create, depending on the environment; for example, `QE_LOCAL`.
Organization unit (OU)	The part of the organization to which the entity belongs; for example, `Accounts Receivable`.
Organization (O)	The name of the organization or company; for example, `PeopleSoft`.
Locality (L)	The city or equivalent locality of the organization; for example, `Pleasanton`.
State (ST)	The state, province, or equivalent region of the locality; for example, `California`.
Country (C)	The country of the locality; for example, `US`.

CSR

A certificate signing request, or CSR, is a document that contains the entity's public key. The CSR is typically generated in Privacy Enhanced Mail (PEM) format, which is base64–encoded binary data. PEM is a standard text-based format for storing and transmitting digital certificates. You use the same software to generate the CSR that you use to generate the private-public key pair. The following example shows a CSR:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBkTCB+wIBADBSMQswCQYDVQQGEwJ1czELMAkGA1UECBMCY2ExDTALBgNVBAcTBGhlcmUxCzAJ
BgNVBAoTAndlMQ0wCwYDVQQLEwR1bml0MQswCQYDVQQDEwJtZTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEApaGAHNBjuByh8qXFCz33TgLzUjRm8S6tijit7fw23rKWyipQ0VgqeAD6eHr0pini
lyJPPOiJJ5fY0h2h78hOr8o+nJosTcqZL3jP+rSVick7qPPyXjcxP1UCGz/8RNykFDnbwjziwi+p
MesoWa8hfBss0ga2zZsmlV8Q4SyYE3UCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBACt0owTCngrU
/HAMAZgT/2O6hiZaD4OVBrgLYzmRvUiVhKOyTUzUv57ks7U6DQYt+rnWwNJtVbeAqO5eZiT7hXbj
Pwl8lGj+Adb6FGYOt4OhicZ0gNMHtURVop6iNJ9scxOmVcpkO0yX5f1rWFdZ0KZrWZSFGI6Lwdud
Hvbyvbpz
-----END NEW CERTIFICATE REQUEST-----

Signed Public Encryption Key From CA

The process of obtaining a signed public key certificate from a CA depends on the CA that you select. Typically, it requires you to paste the content of the PEM-formatted CSR into a form that you submit online. The CA then creates, digitally signs and returns a public key certificate to you. The CA will either email you the certificate or require you to download it from a specified web page. The certificate can be either PEM or the binary Distinguished Encoding Rules (DER) format. Following is an example of a PEM-formatted certificate:

Root Certificate

The root certificate contains the CA's digitally signed public key. It's also known as a chain file or a signer certificate. The process of obtaining a root certificate from a CA depends on the CA. The CA typically sends an email with the certificate or requires you to download it from a specified page.

Note: PeopleSoft systems accept root CA's with key sizes up to 4096 bits.

The signed public key certificate also contains an embedded copy of the CA's root certificate, which you can export.

Understanding Digital Certificates

Digital Certificates

Digital Certificate Authorities

Digital Certificate Installation Elements

Public and Private Encryption Keys

DN for the Entity

CSR

Signed Public Encryption Key From CA

Root Certificate