Set a Default SSL or CA Private Key
You can designate a private key to be the default SSL or CA private key for the cluster.
gateway91
You can designate a private key to be the default SSL or CA private key for the cluster.
WARNING:
Do not use the default CA key to also be the default SSL key. Doing so causes the Policy Manager to fail to connect to the CA API Gateway
.To set a default SSL or CA private key:
- In the Policy Manager, select[Tasks] > Certificates, Keys, and Secrets > Manage Private Keysfrom the Main Menu. The Manage Private Keys dialog appears.
- Select the private key to be used to generate the CSR and then click [Properties]. The Private Keys Properties dialog appears.
- Click the [Mark as Special Purpose] button and then:
- SelectMake Default SSL Keyto make this key the default SSL private key (indicated by
on the interface).When an elliptic curve certificate (ECC) is designated as the default SSL key, the Require Encrypted Element Assertion does not function when using the Gateway with the default WSS recipient. The Gateway does not currently support encrypting XML for a recipient using an ECC key. The Gateway also does not currently support decrypting XML encrypted for an ECC key.
- SelectMake Default CA Keyto make this key the default CA private key (indicated by
on the interface).
- Click [Yes] to confirm. The key that previously held these functions is automatically unassigned. The change takes effect after all cluster nodes are restarted.The previous steps assume that the private key is on the same port used by the Policy Manager to connect to the Gateway. However, if the key is on a port that is different than the one that the Policy Manager is connected to, a reset of Gateway is NOT required:1. Import the new key or public certificate under a key alias other than 'SSL'.2. Connect to Gateway via Policy Manager with port 9443.3. Select port 8443 and make the changes to the private key using the new key you've imported.4. Click[Save].