Manage Certificates

he Manage Certificates task is used to manage both HTTPS and LDAPS certificates. In an identity bridging configuration, certificates are imported into the Federated Gateway B trust store. The trust store is the repository for four types of policies that may be required by the Federated Identity Provider in an identity bridging configuration:
gateway91
he 
Manage Certificates
 task is used to manage both HTTPS and LDAPS certificates. In an identity bridging configuration, certificates are imported into the Federated Gateway B trust store. The trust store is the repository for four types of policies that may be required by the Federated Identity Provider in an identity bridging configuration:
  • CA policies used for signing client policies
  • SSL server policies
  • CA policies used for signing SSL server policies
  • Certificates used for signing SAML assertions
The combination and purpose of certificates in the trust store are determined by the chosen credential source and optional configuration elements defined in Workflow Using an X.509 Certificate or Workflow Using SAML. In accordance with the workflow instructions, certificates belonging to the Trusted Gateway A authentication domain will typically be imported into the Federated Gateway B authorization domain using the Add Certificate Wizard. 
Wildcards can be used in hostnames during verification (for example, certificates with wildcard Subject DN). For more information, see Wildcard Matching of Hostnames.
Certificate Expiration Notification
In addition to the Expiration Date shown on the Manage Certificates dialog, the 
API Gateway
 can alert if you a trusted certificate has expired or will expire imminently. When the 
API Gateway
 is started and every 12 hours (default setting) subsequently, it will check for impending certificate expiration:
  • If a certificate has expired or will expire within the configured WARNING period (by default, 2 days), a WARNING audit event is logged.
  • If a certificate will expire within the configured INFO period (by default, 7 days), an INFO audit event is logged.
  • If a certificate will expire within the configured FINE period (by default, 30 days), a FINE audit event is logged.
To set the configured warning periods, see the 'trustedCert' properties under View Gateway Audit Events
Expired certificates are highlighted in red on the Manage Certificates dialog. 
If your
API Gateway
is a cluster, multiple audit events warning you of the same certificate expiration may be logged. 
To manage certificates
:
  • In the Policy Manager, select 
    [Tasks] > Certificates, Keys, and Secrets > Manage Certificates 
    from the Main Menu (on the browser client, from the 
    Manage
     menu). The Manage Certificates dialog appears.
Certificates that have expired are shown in red. If there are expired certificates currently scrolled out of view, the Manage Certificates dialog will warn you with the message: 
Caution! Some certificate(s) have expired
It is possible to have multiple trusted certificates with the same DN, provided that the SHA-1 thumbprints differ. This allows you to trust a renewed version of a given certificate (that is, a certificate with the same DN, typically the same key, but a new certificate with a later expiry date) while still trusting the older version of the certificate up until its expiry date. This is useful when dealing with peers that do not yet have the latest version of the certificate.
Select a task to perform: 
To...
See
Add a new trusted certificate to the trust store
Import certificates from a keystore
Remove a certificate from the trust store
View or edit certificate properties
Delete a certificate from the trust store
Export the certificate to a file
Configure how certificates are validated
Configure custom private keys
For information on the certificates required in each security domain in an identity bridging configuration, see Identity Bridging Requirementss.