Create a Private Key
Private keys are used for SSL communication, outbound message signing, and inbound message decryption. You can create new private keys using the Policy Manager or import existing keys from a PKCS#12 file. For more information on private keys, see .
gateway
Private keys are used for SSL communication, outbound message signing, and inbound message decryption. You can create new private keys using the Policy Manager or import existing keys from a PKCS#12 file. For more information on private keys, see Manage Private Keys.
To designate your new private key as the default SSL key, default CA key, audit signing key, or audit viewing key, use the "Mark as Special Purpose" option in the Private Key Properties.
If you create a new private key in a Gateway cluster configured with an internal Hardware Security Module (HSM), you must restart all nodes in the cluster in order for the new private key to be recognized.
To create a new private key:
- In the Policy Manager, select[Tasks] > Certificates, Keys, and Secrets > Manage Private Keysfrom the Main Menu. The Manage Private Keys dialog appears.
- Click [Create].The Create Private Key dialog appears, with the [Basic] tab displayed.
- Configure the properties on the [Basic] tab as follows:FieldDescriptionAliasEnter anAliasfor the key.Subject DNEnter theSubject DNfor the initial self-signed certificate for the new private key. This specifies the owner of the initial self-signed certificate and should be in the form of an X.509 subject. For example:CN=ssl.layer7tech.com, O="CA Technologies, Inc", L=Vancouver, ST=British Columbia, C=CANote that fields containing commas should be enclosed in quotes.Key typeSelect theKey typefrom the drop-down list.Do not select any of the "Elliptic Curve" key types if your installation includes the SafeNet Luna HSM.Days until expiryEnter the number of days before the initial self-signed certificate expires. The default is1825days (5 years).CA capableSelect theCertificate will be used to sign other certificatescheck box if the private key is to be CA-capable. The Policy Manager flags CA-capable keys with a
icon to remind you.Keys with self-signed certificates created by theAPI Gatewayas CA-capable cannot be used for any other purpose.Advanced Tip: It is possible to replace the entire certificate chain with a different one (for example, from an internal or public PKI provider) that certifies the public key for other key usages, even if the initial self-signed certificated was created using the [Certificate will be used to sign other certificates] option.Security ZoneOptionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone".For more information about security zones, see Understanding Security Zones.This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).Security zones apply to private keys but not to the keystore itself. This means (for example) if you only have the "Manage Test Zone" role and you need to manage private keys in the Test zone, you must also have an additional role that grants read permission to the Gateway keystore. - In the [Advanced] tab, select a specific signature hash to use when signing a certificate. The default setting ofAutomeans the Gateway automatically determines the signature hash. This default should work well in most instances.
- Click [Create] to generate the new key pair. The new private key is added to the list of certificates on the Manage Private Keys dialog.
(1) To verify the signature hash, look for the "Signature algorithm" line under the [Details] tab of the certificate's properties. (2) Access the Private Key Properties for other actions you can perform on a private key.