Add Certificate Wizard

The Add Certificate Wizard assists you in adding a new certificate to the trust store. The wizard can accept certificates using any of the following methods:
gateway90
The Add Certificate Wizard assists you in adding a new certificate to the trust store. The wizard can accept certificates using any of the following methods:
  • Retrieved from an HTTPS or LDAPS URL
  • Imported from a file
  • Pasted directly into the wizard
This wizard starts when you click [
Add
] on the Manage Certificates dialog.
Certificates that are used to authenticate a user must have a CN value that matches the username. For example, if the username is "suejones", then the CN value in the certificate must also be "suejones". If the CN was instead "mycompany.suejones.com", authentication fails. For more information on adding a certificate for a user, see "Configuring the [Certificate] Tab" in Internal User Properties.
Contents:
Step 1: Enter Certificate Info
This step lets you specify the source of the new HTTPS or LDAPS certificate.
Specify how to obtain the certificate:
  • Retrieve via SSL Connection:
    Select this option to get the certificate from an HTTPS or LDAPS URL.
  • Import from a File:
    Select this option to get the certificate from a local file. Either enter the file path in the field, or use [
    Browse
    ] to locate the file.
  • Import from Known Trusted Certificate:
    Choose this option to use a known trusted certificate from the
    Layer7 API Gateway
    trust store, then select the certificate from the drop-down list. For more information about trusted certificates, see Manage Certificates.
  • Import from Private Key's Certificate Chain:
    Choose this option to retrieve the certificate from the certificate chain of the private key, then select the private key from the drop-down list. For more information about private keys, see Manage Private Keys.
  • Copy and Paste:
    Choose this option to copy and paste the entire certificate from the originating file into the code window. Specify the format of the certificate being pasted:
    • Base64 PEM
      : The certificate must be surrounded by the PEM markers ('----BEGIN CERTIFICATE---' and '---END CERTIFICATE----'), with formatting that conforms to RFC3548. This setting is the default.
    • Base64
      : The certificate can be imported regardless of formatting and does not require PEM markers.
  • Security Zone:
    Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone." For more information about security zones, see Understanding Security Zones. This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones.
If you encounter an error moving to the next step of the wizard, verify that the certificate information entered is correct and then try again.
Step 2: View Certificate Details
This step appears if the Policy Manager was able to obtain the certificate successfully.
How to use this step:
  • Certificate Name:
    Optionally enter a descriptive name for the certificate.
  • Details:
    Examine the certificate details.
When creating a new Federated Identity Provider user who has a client certificate signed by the CA root certificate, the "Issued to" value of the certificate must match the user's "X509 Subject DN" value. If not, you are prompted whether to replace the original DN with the certificate DN.
Step 3: Specify Certificate Options
This step allows you to select one or more certificate usage options. Specify how the certificate will be used:
Outbound SSL Connections
Select this option when the imported certificate belongs to an SSL server hosting the protected web services.
Be sure to select this option when importing an SSL certificate of an LDAP server into the trust store.
WARNING:
The Route via HTTP(S) Assertion in the service policy cannot connect using SSL if the host server uses a self-signed SSL certificate or an SSL certificate that is signed by an untrusted CA (Certificate Authority), unless the server's certificate is imported with this certificate usage option. See the "Signing Client Certificates" usage option below for more information.
Signing Certificates for Outbound SSL Connections
Select this check box when the imported certificate is the signing certificate of a CA (Certificate Authority) that signs SSL policies for servers hosting protected web services.
Be sure to select this option when importing the CA certificate of an LDAP server into the trust store.
The same "Warning" from above applies here as well.
Signing Client Certificates
Select this check box when the imported certificate is the signing certificate of a CA that signs client policies. The client policies can be used for a variety of purposes, including SSL client authentication and XML signing and encryption. Certificates imported with this option enabled can be used in Federated Identity Providers.
Signing SAML Tokens
Select this check box when the imported certificate is the signing certificate of a SAML issuing authority, such as in the SAML credential source workflow. Certificates imported with this option enabled can be used in Federated Identity Providers.
SAML Attesting Entity
Select this check box to configure a Federated Identity Provider to authorize identities that attest SAML tokens. The SAML Attesting Entity certificate usage option requires the presence of a Require SAML Token Profile assertion configured with the "Sender Vouches" subject confirmation method.To learn how to configure the
XML VPN Client
to vouch for a requestor's identity using SAML, see
Configure SAML Sender Vouches
in the
XML VPN Client
online documentation.
You can complete the wizard without specifying a usage option in Step 3. However, at least one usage option must be specified at a later date before the certificate can be used. To specify an option later, see Edit a Certificate.
Step 4: Configure Validation
This step allows you to specify validation options for the certificate.
Specify the following validation options for the certificate:
Certificate is a Trust Anchor
Specify whether the certificate should be a trust anchor—a starting point from which trust is established. By default, all certificates added to the
Layer7 API Gateway
trust store are trust anchors. Setting a certificate as a trust anchor avoids having to follow the certificate chain.
For more information about trust anchors, see Manage Certificate Validation.
Verify Hostnames for Outbound SSL Connections
This setting is available when one of the "outbound" options is selected in Step 3. It lets you specify whether the
Layer7 API Gateway
should verify the hostname in a trusted certificate against the hostname in the URL of the request. If this option is enabled and the hostnames do not match, then the request is disallowed. If this option is disabled, then no attempt will be made to verify that the hostnames match.
This setting works in conjunction with the
io.httpsHostVerify
cluster property, which also specifies when a server hostname name is verified against a certificate.
Revocation Checking
Specify how this certificate should be checked for revocation:
  • Default:
    Use the default revocation checking policy, as defined in the Manage Certificate Validation dialog.
  • Disabled:
    Do not check this certificate for revocation.
  • Selected:
    Use another revocation checking policy from the drop-down list.
For more information on revocation checking, see Manage Certificate Validation.