The Manage Certificates task is used to manage both HTTPS and LDAPS certificates. In an identity bridging configuration, certificates are imported into the Federated Gateway B trust store. The trust store is the repository for four types of policies that may be required by the Federated Identity Provider in an identity bridging configuration:
Manage Certificatestask is used to manage both HTTPS and LDAPS certificates. In an identity bridging configuration, certificates are imported into the Federated Gateway B trust store. The trust store is the repository for four types of policies that may be required by the Federated Identity Provider in an identity bridging configuration:
- CA policies used for signing client policies
- SSL server policies
- CA policies used for signing SSL server policies
- Certificates used for signing SAML assertions
The combination and purpose of certificates in the trust store are determined by the chosen credential source and optional configuration elements defined in Workflow Using an X.509 Certificate or Workflow Using SAML. In accordance with the workflow instructions, certificates belonging to the Trusted Gateway A authentication domain will typically be imported into the Federated Gateway B authorization domain using the Add Certificate Wizard.
Certificate Expiration Notification
In addition to the Expiration Date shown on the Manage Certificates dialog, the
API Gatewaycan alert if you a trusted certificate has expired or will expire imminently. When the
API Gatewayis started and every 12 hours (default setting) subsequently, it will check for impending certificate expiration:
- If a certificate has expired or will expire within the configured WARNING period (by default, 2 days), a WARNING audit event is logged.
- If a certificate will expire within the configured INFO period (by default, 7 days), an INFO audit event is logged.
- If a certificate will expire within the configured FINE period (by default, 30 days), a FINE audit event is logged.
To set the configured warning periods, see the 'trustedCert' properties under View Gateway Audit Events.
Expired certificates are highlighted in red on the Manage Certificates dialog.
API Gatewayis a cluster, multiple audit events warning you of the same certificate expiration may be logged.
To manage certificates
- In the Policy Manager, select[Tasks] > Certificates, Keys, and Secrets > Manage Certificatesfrom the Main Menu (on the browser client, from theManagemenu). The Manage Certificates dialog appears.
Certificates that have expired are shown in red. If there are expired certificates currently scrolled out of view, the Manage Certificates dialog will warn you with the message:
Caution! Some certificate(s) have expired.
It is possible to have multiple trusted certificates with the same DN, provided that the SHA-1 thumbprints differ. This allows you to trust a renewed version of a given certificate (that is, a certificate with the same DN, typically the same key, but a new certificate with a later expiry date) while still trusting the older version of the certificate up until its expiry date. This is useful when dealing with peers that do not yet have the latest version of the certificate.
Select a task to perform:
Add a new trusted certificate to the trust store
Import certificates from a keystore
Remove a certificate from the trust store
View or edit certificate properties
Delete a certificate from the trust store
Export the certificate to a file
Configure how certificates are validated
Configure custom private keys
For information on the certificates required in each security domain in an identity bridging configuration, see Identity Bridging Requirementss.