Look Up Certificate Assertion

The Look Up Certificate assertion is used to look up a certificate by a variety of methods and then store that certificate's value in a context variable for later use in the policy.
gateway90
The 
Look Up Certificate
 assertion is used to look up a certificate by a variety of methods and then store that certificate's value in a context variable for later use in the policy.
You can look up certificates by:
  • Name (trusted certificates only)
  • SHA1 Thumbprint
  • Subject Key ID
  • Subject DN
  • Issuer DN and Serial Number
The assertion can be configured to fail if more than one matching certificate is found.
Using the Assertion
This assertion can find the following types of certificates known to the 
API Gateway
  • Trusted Certificate
  • User certificate
  • LDAP User shadow certificate (for more information, see "Trusted Gateway Accounts")
  • Certificate from LDAP certificate cache, if enabled
  • Subject certificate from any private key in the current
    API Gateway
     keystore
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the Certificate Lookup Properties automatically appear. When modifying the assertion, right-click 
    Look Up Certificate 
     in the policy window and select 
    Certificate Lookup Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the dialog as follows: 
    Setting
    Description
    Look up Certificate by Name
    For this option, enter the name of the trusted certificate to be looked up. This will be matched against the CN value of the trusted certificate. You may specify a context variable.
    Look up Certificate by ThumbprintSHA1
    For this option, enter the SHA-1 thumbprint (as a Base-64 string) of the encoded certificate to be looked up. You may specify a context variable.
    Look up Certificate by Subject Key ID
    For this option, enter the Subject Key ID (SKI) of the certificate to be looked up. You may specify a context variable.
    Look up Certificate by Subject DN
    For this option, enter the name of the certificate subject's Distinguished Name to be looked up. You may specify a context variable.
    Look up Certificate by Issuer DN and Serial Number
    For this option, enter the certificate issuer's Distinguished Name, as an RFC 2253 canonical string, and the certificate's Serial Number, as a decimal number, to be looked up. You may specify a context variable.
    Fail if multiple certificates are found
     
    Select this check box to fail the assertion if multiple certificates with the specified name are found.
    Clear this check box to not fail the assertion if multiple certificates with the specified name are found. This setting is the default.
    The context variable specified under "Output Variable Name" below will not be populated if the assertion fails.
    Output Variable Name
    For this option, enter the name of the context variable to be used to store the results of the lookup upon successful completion of the assertion. This variable will be of type X.509 Certificate.
    Note the following:
    • When looking up a trusted certificate by name, the context variable will be single-valued if one certificate is found or multivalued if multiple matching certificates are found.
    • When looking up any other certificate type, the context variable will always be single-valued and only the first matching certificate will be stored.
    The default variable name is
    certificate
    .
  4. Click [
    OK
    ].