Certificate rollover

Edit online

The certificate rollover feature adds extra functionality to Sterling B2B Integrator such as notifications that a certificate is nearing expiration and verification that the Certificate Logical Identification Data (CLID) entries of the certificate that is received from a trading partner match the existing CLID entries.

The certificate rollover feature adds the following functions to Sterling B2B Integrator:
  • Notifying an administrator or user that a certificate is nearing expiration.
  • Verifying that the Certificate Logical Identification Data (CLID) entries of the certificate received from a trading partner are the same as the CLID entries of the existing certificate.
  • Importing the certificate into the local certificate store.
  • Associating the new certificate with the existing certificate based on the CLID information of the certificates.
The following is the sequence of events that occur during certificate rollover:
  1. The administrator configures and schedules the oftpCheckCertNotification BP.
  2. The oftpCheckCertNotification BP checks for certificates with SENT status that are nearing expiration.
  3. The BP notifies the administrator through an email that a particular certificate is nearing expiration. The status of the certificate that is nearing expiration is changed to ROLLOVER from SENT in the certificate_mapping table.
    Note: By default, the notification is sent 30 days in advance of the certificate expiry date. An administrator can configure the time period by modifying the param1 value of LightweightJDBCAdapterQuery operation in the oftpCheckCertNotification BP.
  4. The administrator requests the concerned certificate issuer or the certificate authority (CA) for new a certificate.
    Note: Requesting for a new certificate is outside the scope of Sterling B2B Integrator.
  5. After the new certificate is received, the administrator saves it in the local certificate store and sends the new certificate to the trading partners.
    Note: If the CLID information for the new certificate is different from the existing information, then, the administrator must send the new CLID information to the trading partner, before sending the certificate.
The following is the sequence of events that occur when Sterling B2B Integrator receives a certificate from a trading partner:
  1. CLID entries of the certificate, such as, issuer, subject, FQDHN, IP address, key usage, and extended key usage are verified against the CLID entries of the existing certificate.
    Note: If the CLID information of the new certificate is different from the existing information, then the trading partner who is sending the new certificate sends the CLID information first. The new CLID information must be added to the system and associated with the existing certificate using the Associate CLID list in the Odette FTP CLID page. When the new certificate is received, it is associated with the new CLID.
  2. After the successful verification of the CLID entries (or association in case of new CLID information), the certificate is imported into the local certificate store and associated with the existing certificate. The new certificate is named as OldName-<New Serial Number> and associated with the existing certificate.

In the UI, the new certificate name is displayed in parentheses next to the existing certificate name. For example, if the name of the existing certificate is c1 and the name of the new certificate is c2, then the names are displayed as c1(c2) in the UI. This depiction indicates that the certificates are associated with each other. Both the certificates are valid during the roll-over period. The system starts to use the new certificate after the existing certificate expires. After the existing certificate expires, the checkexpiredcertnotification BP notifies the administrator that the certificate has expired.