Generating keys and certificates

How to generate keys and certificates.

About this task

You can generate a private cryptographic key and self-signed certificate. The certificate signing request (CSR) that the certificate authority (CA) needs is created by default.

You can generate an RSA key or ECDSA key.
  • If you generate an RSA key, you must define the key length and the hash algorithm of the generated RSA keys.
  • If you generate an ECDSA key, you must define the elliptic curve to use to generate the ECDSA keys. ECDSA keys are not supported on HSM-equipped appliances.
The Configuration file field specifies an OpenSSL CNF file. This file consists of delimited sections that use a section name that is enclosed in brackets. Each section can contain one or more properties. Some of these properties are allowed to exist outside of any section definition. As such, they are considered global. The action does not read global properties. The action reads the [req] section of the configuration file but is limited to the reading of only the following properties of the [req] section. Each of these properties can define a section of its own except for string_mask that must be either utf8only or nombstr.
[req]
  [distinguished_name]
  [attributes]
  [req_extensions]
  [x509_extensions]
  string_mask

For an HSM-equipped appliance, the private key is exportable with an HSM-generated key-wrapping key. A key-wrapping key is a key that encrypts another key.

  • If a file is stored in the cert: directory, you cannot edit it.
  • If a file is stored in the local: or temporary: directory, you can edit it.
  • If the file is stored on the HSM, which is represented as the hsm://hsm3/ directory, you cannot edit it.

Procedure

  1. In the search field, enter crypto.
  2. From the search results, click Crypto tools.
  3. Define the LDAP entry.
    1. Set the LDAP (reverse) order of RDNs property to indicate whether to create the LDAP entry in reverse RDN order.
      The default behavior is to create the entry in forward RDN order, not in reverse RDN order.
    2. Optional: In the Country name (C) field, enter a country name.
    3. Optional: In the State or province (ST) field, enter a state name or a province name.
    4. Optional: In the Locality (L) field, enter a locality name.
    5. Optional: In the Organization (O) field, enter the name of an organization.
    6. Optional: In the Organizational unit (OU) field, enter the name of an organizational unit.
    7. Optional: In the Organizational unit 2 (OU), Organizational unit 3 (OU), and Organizational unit 4 (OU) fields, enter the names of more organizational units.
    8. In the Common name (CN) field, enter a common name.
  4. From the Key type list, select the type of key to generate.
  5. Define the key-type specific characteristics to use to generate the key.
    • For an RSA key, select the key length and hash algorithm.
    • For an ECDSA key, select the elliptic curve. This key type is not supported on an HSM-equipped appliance.
  6. In the File name field, enter the name of the key file to generate.
    The value takes the directory:///name form. Leave blank to allow the action to create the name.
  7. In the Validity period field, enter the duration that the key is valid.
  8. From the Password alias list, select the password alias map that defines the alias that maps to the cleartext password.
    The password in the map encrypts the files, and the alias in the map decrypts the password to access the file.
  9. Set the Export private key property to indicate whether the action writes the key file to the temporary: directory.
    The default behavior is to not write the key file to the temporary: directory.
  10. Set the Generate self-signed certificate property to indicate whether the action creates a self-signed certificate that matches the key.
    The default behavior is to create a self-signed certificate.
  11. Set the Export self-signed certificate property to indicate whether the action writes the self-signed certificate to the temporary: directory.
    The default behavior is to write the self-signed certificate to the temporary: directory.
  12. Set the Generate key and certificate objects property to indicate whether the action automatically creates the configurations from the generated files.
    The default behavior is to create objects from the generated files.
  13. In the Object name field, enter the name to use for the key and certificate. Leave blank to allow the action to generate the names from the input information based on the Common name (CN) or File name property.
  14. Set the Generate key on HSM property to indicate whether to create the key on the HSM.
    This property is meaningful only on an HSM-equipped appliance.
    • When set, creates the key on the HSM. The file name (URL) for the key has the hsm://hsm3/name format.
    • When not set, creates the key in the DataPower file system. The file name (URL) for the key has the cert:///name format.
  15. In the Using existing key object field, enter the name of an existing key alias.
    If supplied and valid, the action generates a new certificate and a new CSR that is based on the key in the identified key alias. In this case, a new key is not generated.
  16. In the Configuration file field, specify the configuration file in the temporary: directory to read the DN and OIDs from. The configuration file must be in the OpenSSL CNF format. This property is relevant when you indicate to generate a CSR or self-signed certificate.
    When you specify the Configuration file property, one of the following properties must be specified.
    • Common name (CN)
    • File name
    • Object name
  17. Click Generate key to generate a private key and, if requested, a self-signed certificate.
    A CSR is created automatically.
  18. Follow the prompts.

Results

The CSR can be submitted to a CA to receive a certificate that is based on this private key. This action creates the following files and configurations.
  • Creates the private key file in the cert: directory. For example, cert:///sample-privkey.pem.
  • Creates the CSR in the temporary: directory. For example, temporary:///sample.csr.
  • When the Generate self-signed certificate property is enabled, create a self-signed certificate in the cert: directory. For example, cert:///sample-sscert.pem.
  • When the Export self-signed certificate property is enabled, create a copy of the self-signed certificate in the temporary: directory. For example, temporary:///sample-sscert.pem.
  • When the Generate key and certificate objects property is enabled, create a key and certificate aliases.
When the action creates a self-signed certificate, you can use this certificate-key pair for the following purposes.
  • Establish identification credentials.
  • Encrypt or decrypt XML documents.