Manage Private Keys
The gateway can be configured to use customized private keys. These customized private keys can be used for SSL communication, outbound message signing, and inbound message decryption.
Layer7 API Gatewaycan be configured to use customized private keys. These customized private keys can be used for SSL communication, outbound message signing, and inbound message decryption.
Private keys are stored in the Gateway as PKCS#12 files or in an external SafeNet HSM network-attached Hardware Security Module. Once the keystore has been defined, you manage the private keys in the Policy Manager through the Manage Private Keys task.
The Manage Private Keys task lists all certificates installed on the Gateway cluster for which the Gateway possesses a copy of the private key. You can use this dialog to:
- Create a new private key
- Import a private key from another source
- Sign a certificate
- View the properties of an existing private key
- Display information about the configured keystore
You can use the Manage Private Keys task to create a private key with a certificate chain that is signed by a different local private key. If you need to do this:
1. Create two private keys, one CA-capable and the other not.
2. View the properties of the non-CA key and click [Generate CSR]. Save the CSR to a .pem file.
3. Returning to the Manage Private Keys dialog, select the CA key and click [Sign Cert].
4. Locate and open the .PEM file created in step 2.
5. Save the resulting certificate chain to a different .PEM file.
6. View the properties of the non-CA key again and this time click [Replace Certificate Chain].
7. Locate and open the .PEM file created in step 5.
You now have a CA-capable private key with a self-signed certificate and a non-CA key with a certificate signed by the CA key.
To manage private keys:
- In the Policy Manager, select [Tasks]> Certificates, Keys, and Secrets >Manage Private Keysfrom the Main Menu (on the browser client, from theManagemenu). The following icons provide more information about a key in the Manage Private Keys dialog:indicates a key with a CA (Certificate Authority)-capable certificate chainindicates a key with a certificate chain that is not CA-capableindicates the default CA keyindicates the default SSL keyFor more information about each of these keys, see Private Key Properties. This is where the default CA and SSL keys are set.
- Select a task to perform.To...SeeCreate a new private keyImport a private keySign a certificateView private key propertiesPrivate Key PropertiesThis allows you to access less frequently used actions such as generating a CSR, replacing the certificate chain, setting the key as the default SSL or CA key, or destroying the key.Manage KeystoreManage KeystoreThis is used to enable or disable the SafeNet Luna keystore (if installed).
- Click [Close] when done.