Private Key Locations
Where private keys are located will affect the actions that you can perform on the keys. Private keys are stored in the following locations:
gateway
Where private keys are located will affect the actions that you can perform on the keys. Private keys are stored in the following locations:
Location | Writable | Notes |
Software DB | Yes | This is a software keystore that is stored in the database, as a PKCS#12 keystore. |
SafeNet Luna HSM | Yes | This is an optional hardware security module that can be purchased and configured to work with the API Gateway (all form factors). When enabled, the SafeNet HSM overrides any other keystore on the API Gateway . |
By default, an SSL private key is created, with Alias "ssl" and Subject "CN=<
gateway_hostname
>". This initial default SSL key, as well as any subsequent created keys, are all created in Software DB. Keys in the Software DB are writable, meaning they can be destroyed and their certificate chains can be destroyed. If all keys are destroyed using the Manage Private Keys task, the original default SSL key is recreated once the API Gateway
is restarted (with Alias="ssl"; Subject="<gateway_hostname
>").A CA key is not created by default. You need a CA key only if the
both
the following apply:- TheAPI Gatewaycluster will be communicating with theAPI Gateway- XML VPN Client.
- You expect to use the automatic client certificate provisioning feature in theAPI Gateway- XML VPN Client.
For information on configuring a CA key for the cluster, see Manage Private Keys. You will use this task to create a new CA-capable key and then set it as the default.
If you create or import any custom private keys, they will be stored in the "Software DB" location. These keys can be destroyed or modified.