Generating keys and certificates
How to generate keys and certificates.
About this task
You can generate a private cryptographic key and self-signed certificate. The certificate signing request (CSR) that the certificate authority (CA) needs is created by default.
You can generate an RSA key or ECDSA key.
- If you generate an RSA key, you must define the key length and the hash algorithm of the generated RSA keys.
- If you generate an ECDSA key, you must define the elliptic curve to use to generate the ECDSA keys. ECDSA keys are not supported on HSM-equipped appliances.
For an HSM-equipped appliance, the private key is exportable with an HSM-generated key-wrapping key. A key-wrapping key is a key that encrypts another key.
- If a file is stored in the cert: directory, you cannot edit it.
- If a file is stored in the local: or temporary: directory, you can edit it.
- If the file is stored on the HSM, which is represented as the hsm://hsm3/ directory, you cannot edit it.
Procedure
Results
The CSR can be submitted to a CA to receive a certificate that is based on this private key. This
action creates the following files and configurations.
- Creates the private key file in the cert: directory. For example,
cert:///sample-privkey.pem
. - Creates the CSR in the temporary: directory. For example,
temporary:///sample.csr
. - When the Generate self-signed certificate property is enabled, create a
self-signed certificate in the cert: directory. For example,
cert:///sample-sscert.pem
. - When the Export self-signed certificate property is enabled, create a
copy of the self-signed certificate in the temporary: directory. For example,
temporary:///sample-sscert.pem
. - When the Generate key and certificate objects property is enabled, create a key and certificate aliases.
When the action creates a self-signed certificate, you can use this certificate-key pair for the
following purposes.
- Establish identification credentials.
- Encrypt or decrypt XML documents.