Private Key Properties

The Private Key Properties dialog displays overview information about a private key and provides access to other actions that are used infrequently (for example, generating a CSR or destroying a key).
gateway83
The Private Key Properties dialog displays overview information about a private key and provides access to other actions that are used infrequently (for example, generating a CSR or destroying a key).
The Private Key Properties dialog is accessed using the [
Properties
] button on the Manage Private Keys dialog.
The following table describes the properties:
Label
Description
Location
The name of the keystore holding the private key being stored.This is either the software database keystore or the cluster HSM keystore. For more information, see Private Key Locations.
Alias
The name assigned to the key. Used to identify the key within the keystore when configuring a policy assertion to use that key.
Key Type
The type of the private key.
Do not select any of the "Elliptic Curve" key types if your installation includes the SafeNet Luna HSM.
Security Zone
Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "
No security zone
".
For more information about security zones, see Understanding Security Zones.
This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).
Certificate Chain
Displays the current certificate chain for the selected private key, beginning with the subject certificate. Every new private key created in the Gateway initially has a certificate chain that consists of just a self-signed placeholder certificate. You can replace this with any other certificate chain that has a subject certificate that has the same public key as the initial subject certificate. The replacement certificate is based on the same key pair as the original certificate.
View Certificate
Opens the Certificate Properties dialog to display information about the certificate. For more information about this dialog, see Edit a Certificate.
The certificate is not editable when open from this location.
Other Actions:
Depending on where the private keys are stored, not all of the "Other Actions" buttons may be available. For more information, see Private Key Locations.
Generate CSR
Generates a new PKCS#10 certificate signing request (CSR) using the selected private key. For more information, see Generate a Certificate Signing Request (CSR).
Replace Certificate Chain
Replaces the existing certificate chain with a new chain that uses the same private key. For example, use this action to replace a placeholder certificate with an actual certificate returned from a CA. Restart the Gateway for the replacement to take effect.
Export Key
Exports a private key that is stored in the software database. For more information, see Export a Private Key.
Mark as Special Purpose
Sets the selected key as any one of the following special keys:
  • Make Default SSL:
    Makes the selected key the default SSL private key for the cluster. This is the key is used by listen ports, the Route via HTTP(S) Assertion, and any other assertion that requires a private key.
  • Make Default CA:
    Makes the selected key the default CA private key for the cluster. This allows the
    Layer7 API Gateway
    - XML VPN Client
    to obtain certificates dynamically from the Gateway during initial configuration.
    You are warned if the selected key is unsuitable for use as the default CA key. You may proceed at your own risk.
  • Make Audit Signing Key:
    Makes the selected key the default audit signing key. All internally-saved signed audit records are signed with this key whenever internal audit signing is enabled (see the
    audit.signing
    cluster property).
    If an audit signing key is not assigned, the Gateway uses the default SSL key to sign audit records.
    (1) Avoid frequent changes to the audit signing key, as this may cause potential issues during verification. (2) Designating an audit signing key does not affect any signing that may be done with assertions in an audit sink policy.
  • Make Audit Viewer Key:
    Makes the selected key the audit viewer key, to be used to decrypt encrypted audits in the Audit Viewer policy.
    The audit viewer key is required when an authorized user attempts to view encrypted audit information in the Policy Manager. For more information, see "Invoke the Audit Viewer Policy" in View Gateway Audit Events.
    Keep in mind the following about the audit viewer key:
    • Once a key is assigned, it cannot be used in any other policy or for any other task. This is to prevent encrypted audits from being decrypted using a normal service policy.
    • Keys cannot be designated as the audit viewer key at the same time as they are designated for some other special purpose.
    • Do not delete a key that is currently serving as the audit viewer key. However, once a key ceases to be the audit viewer key, it is recommended that you delete it, to prevent unauthorized users from decrypting audit records that were encrypted with that key.
Delete Key
Deletes the private key and certificate chain from the keystore. Use this action with caution, as deleting a private key is permanent. For more information, see Delete a Private Key.
WARNING:
Do not delete a key that is currently serving as the audit viewer key. This renders your encrypted audits unviewable. Reassign the audit viewer key to another key first.