Create a Private Key

Private keys are used for SSL communication, outbound message signing, and inbound message decryption. You can create new private keys using the Policy Manager or import existing keys from a PKCS#12 file. For more information on private keys, see .
gateway92
Private keys are used for SSL communication, outbound message signing, and inbound message decryption. You can create new private keys using the Policy Manager or import existing keys from a PKCS#12 file. For more information on private keys, see Manage Private Keys.
To designate your new private key as the default SSL key, default CA key, audit signing key, or audit viewing key, use the "Mark as Special Purpose" option in the Private Key Properties.
If you create a new private key in a Gateway cluster configured with an internal Hardware Security Module (HSM), you must restart all nodes in the cluster in order for the new private key to be recognized.
To create a new private key:
  1. In the Policy Manager, select
    [Tasks] > Certificates, Keys, and Secrets > Manage Private Keys
    from the Main Menu. The Manage Private Keys dialog appears.
  2. Click [
    Create
    ].
    The Create Private Key dialog appears, with the [
    Basic
    ] tab displayed.
  3. Configure the properties on the [
    Basic
    ] tab as follows:
    Field
    Description
    Alias
    Enter an
    Alias
    for the key.
    Subject DN
    Enter the
    Subject DN
    for the initial self-signed certificate for the new private key. This specifies the owner of the initial self-signed certificate and should be in the form of an X.509 subject. For example:
    CN=ssl.layer7tech.com, O="CA Technologies, Inc", L=Vancouver, ST=British Columbia, C=CA
    Note that fields containing commas should be enclosed in quotes.
    Key type
    Select the
    Key type
    from the drop-down list. Main choices are RSA (from 512 bit to 4096 bit) and Elliptic Curve (multiple curve key types are available). 
    Do not select any of the "Elliptic Curve" key types if your installation includes the SafeNet Luna HSM.
    Days until expiry
    Enter the number of days before the initial self-signed certificate expires. The default is
    1825
    days (5 years).
    CA capable
    Select the
    Certificate will be used to sign other certificates
    check box if the private key is to be CA-capable. The Policy Manager flags CA-capable keys with a CA-capable_cert_icon.gif icon to remind you.
    Keys with self-signed certificates created by the
    Layer7 API Gateway
    as CA-capable cannot be used for any other purpose.
    Advanced Tip: It is possible to replace the entire certificate chain with a different one (for example, from an internal or public PKI provider) that certifies the public key for other key usages, even if the initial self-signed certificated was created using the [
    Certificate will be used to sign other certificates
    ] option.
    Security Zone
    Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "
    No security zone
    ".
    For more information about security zones, see Understanding Security Zones.
    This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).
    Security zones apply to private keys but not to the keystore itself. This means (for example) if you only have the "Manage Test Zone" role and you need to manage private keys in the Test zone, you must also have an additional role that grants read permission to the Gateway keystore.
  4. In the [
    Advanced
    ] tab, select a specific signature hash to use when signing a certificate:
    • Auto (default)
    • SHA-1
    • SHA-256
    • SHA-384
    • SHA-512
    • SHA-256 (RSASSA-PSS)
    • SHA-384 (RSASSA-PSS)
    • SHA-512 (RSASSA-PSS)
    The default setting of
    Auto
    means the Gateway automatically determines the signature hash. This default should work well in most instances.
    • Ensure that you select the signature hash size that is at least the same as the Private Key size.
    • RSASSA-PSS algorithms apply to RSA key types only - selecting a RSASSA-PSS hash for an EC key type will yield an error.
  5. Click [
    Create
    ] to generate the new key pair. The new private key is added to the list of certificates on the Manage Private Keys dialog.
(1) To verify the signature hash, look for the "Signature algorithm" line under the [Details] tab of the Private Key Properties for other actions you can perform on a private key.