Quotes

Wednesday, October 26, 2016

Generate Keys and Certificates in Datapower Step by Step



You can generate a private cryptographic key and optionally a self-signed certificate from the Crypto Tools page. The Certificate Signing Request (CSR) needed by a certificate authority (CA) is created by default.
If the file is stored in the cert: directory, it cannot be edited. If a file is stored in the local: directory or in the temporary: directory, it can be edited.
To generate a key:
  1. Click Administration  Miscellaneous  Crypto Tools.
  2. Define the LDAP entry.
    1. Set LDAP (reverse) Order of RDNs to indicate whether to create the LDAP entry in reverse RDN order.onCreates the entry in reverse RDN order.off(Default) Creates the entry in forward RDN order.
    2. Optional: In the Country Name (C) field, enter a country name.
    3. Optional: In the State or Province (ST) field, enter a state name or a province name.
    4. Optional: In the Locality (L) field, enter a locality name.
    5. Optional: In the Organization (O) field, enter the name of an organization.
    6. Optional: In the Organizational Unit (OU) field, enter the name of an organizational unit.
    7. Optional: In the Organizational Unit 2 (OU)Organizational Unit 3 (OU), and Organizational Unit 4 (OU) fields, enter the names of additional organizational units.
    8. In the Common Name (CN) field, enter a common name.
  3. From the RSA Key Length list, select the key length. This defaults to 1024.
  4. In the File Name field, enter the name of the key file to generate. The value takes the directory:///name form. Leave blank to allow the action to create the name.
  5. In the Validity Period field, enter the number of days that the key is valid.
  6. In the Password field, enter a password to access the key file. The password must be at least six characters in length.
  7. In the Password Alias field, enter a password alias to access the key file.
  8. |On HSM-equipped appliances, set Private Key Exportable via hsmkwk to indicate |whether the key can be exported with the HSM key-wrapping-key. |The default value is off.|
    |    Note:||On Type 7199 appliances, |you must select on or the operation |will fail. The ability to do a subsequent export of the key cannot |be disabled.|
    |
    |    on|Indicates that the key can be exported.|
    |    off|(Default) Indicates that the key cannot be exported.|
    |
  9. Set Export Private Key to indicate whether the action writes the key file to the temporary: directory.onWrites the key file to the temporary: directory.off(Default) Does not write the key file to the temporary: directory.
  10. Set Generate Self-Signed Certificate to indicate whether the action creates a self-signed certificate that matches the key.on(Default) Creates a self-signed certificate.offDoes not create a self-signed certificate.
  11. Set Export Self-Signed Certificate to indicate whether the action writes the self-signed certificate to the temporary: directory.on(Default) Writes the self-signed certificate to the temporary: directory.offDoes not write the self-signed certificate to the temporary: directory.
  12. Set Generate Key and Certificate Objects to indicate whether the action automatically creates the objects from the generated files.on(Default) Creates the objects from the generated files.offDoes not create the objects from the generated files.
  13. In the Object Name field, enter the name to use for the Key object and for the Certificate object. Leave blank to allow the action to generate the names from the input information (based on the Common Name (CN) or File Name property).
  14. On HSM-equipped appliances, set Generate Key on HSM to indicate whether to create the key on the HSM.|on|Creates the key on the HSM.|On Type 9235 appliances, |the file name (URL) for the key has the hsm://hsm1/name format.|On Type 7199 appliances, the file name (URL) for the |key has the hsm://hsm2/name format.offCreates the key on the appliance. The file name (URL) for the key has the cert:///name format.
  15. In the Using Existing Key Object field, enter the name of an existing key. If supplied and valid, the action generates a new certificate and a new Certificate Signing Request (CSR) that is based on the key in the identified Key object. In this case, the appliance does not generate a new key.
  16. Click Generate Key to generate a private key and, if requested, a self-signed certificate. A CSR is created automatically.
  17. Follow the prompts.
The CSR can be submitted to a certificate authority (CA) to receive a certificate that is based on this private key. This action creates the following files and objects:
  • Creates the private key file in the cert: directory; for example, cert:///sample-privkey.pem
  • Creates the CSR in the temporary: directory; for example, temporary:///sample.csr
  • If Generate Self-Signed Certificate is enabled, creates a self-signed certificate in the cert: directory; for example,cert:///sample-sscert.pem
  • If Export Self-Signed Certificate is enabled, creates a copy of the self-signed certificate in the temporary: directory; for example, temporary:///sample-sscert.pem
  • If Generate Key and Certificate Objects is enabled, creates a Key object and a Certificate object
If the action creates a self-signed certificate, you can use this certificate-key pair for the following purposes:
  • Establish Identification Credentials
  • Encrypt or decrypt XML documents
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)