CA API Gateway 9.1

9.4 9.1

Manage Private Keys

The gateway can be configured to use customized private keys. These customized private keys can be used for SSL communication, outbound message signing, and inbound message decryption. 
gateway91
The 
CA API Gateway
 can be configured to use customized private keys. These customized private keys can be used for SSL communication, outbound message signing, and inbound message decryption. 
Private keys are stored in the Gateway as PKCS#12 files or in an external SafeNet HSM network-attached Hardware Security Module. Once the keystore has been defined, you manage the private keys in the Policy Manager through the Manage Private Keys task. 
The Manage Private Keys task lists all certificates installed on the Gateway cluster for which the Gateway possesses a copy of the private key. You can use this dialog to:
  • Create a new private key
  • Import a private key from another source
  • Sign a certificate
  • View the properties of an existing private key
  • Display information about the configured keystore
If you need to store plain text PEM private keys, use the Manage Stored Passwords task instead. The Manage Private Keys task is only used for asymmetric private keys with certificate chains.
You can use the Manage Private Keys task to create a private key with a certificate chain that is signed by a different local private key. If you need to do this:
     1. Create two private keys, one CA-capable and the other not.
     2. View the properties of the non-CA key and click [Generate CSR]. Save the CSR to a .pem file.
     3. Returning to the Manage Private Keys dialog, select the CA key and click [Sign Cert].
     4. Locate and open the .PEM file created in step 2.
     5. Save the resulting certificate chain to a different .PEM file.
     6. View the properties of the non-CA key again and this time click [Replace Certificate Chain].
     7. Locate and open the .PEM file created in step 5.
You now have a CA-capable private key with a self-signed certificate and a non-CA key with a certificate signed by the CA key.
To manage private keys:
  1. In the Policy Manager, select [
    Tasks
    ]
    > Certificates, Keys, and Secrets >
    Manage Private Keys
     from the Main Menu (on the browser client, from the 
    Manage
     menu). The following icons provide more information about a key in the Manage Private Keys dialog:
    CA-capable_cert_icon.gif indicates a key with a CA (Certificate Authority)-capable certificate chain
    CA-incapable_cert_icon.gif indicates a key with a certificate chain that is not CA-capable
    Default_CA_cert_icon.gif indicates the default CA key
    Default_SSL_cert_icon.gif indicates the default SSL key
    For more information about each of these keys, see Private Key Properties. This is where the default CA and SSL keys are set.
  2. Select a task to perform.
    To...
    See
    Create a new private key
    Import a private key
    Sign a certificate
    View private key properties
    Private Key Properties
    This allows you to access less frequently used actions such as generating a CSR, replacing the certificate chain, setting the key as the default SSL or CA key, or destroying the key.
    Manage Keystore
    Manage Keystore
    This is used to enable or disable the SafeNet Luna keystore (if installed).
  3. Click [
    Close
    ] when done.
 

Content feedback and comments