Managing certificates
Certificates are used to sign, validate, encrypt, and decrypt various objects such as SAML assertions and OAuth and OpenID Connect JSON Web Tokens (JWT).
Before you begin
- You must have administrative permission to complete this task.
- Log in to the IBM® Security Verify administration console as an Administrator.
About this task
- Personal certificate
-
A digital trust certificate that a client or server gives to other clients or servers for authentication.
The personal certificate contains both a signer certificate or public key and a private key for signing and encrypting data.
The identity provider always signs its SAML authentication response. When you configure SAML single sign-on, you must provide the service provider with the signer certificate or public key component of the personal certificate. This information validates the identity of the identity provider. The signer certificate or public key of the personal certificate is automatically populated in the
instructions.The certificate is also used to sign ID tokens for OIDC single sign-on applications.
Verify includes a personal certificate. However, this certificate is intended only for demonstration, proof of concept, or proof of technology purposes. Do not use the supplied certificate in a production environment. Add a different personal certificate during the initial Verify setup.
You can add several personal certificates but you must always have one certificate:- With Friendly Name set as server.
- Set as default. Only the default certificate is used to sign the SAML authentication response.
When the default personal certificate is about to expire, make sure that you change it and then reconfigure single sign-on for the application that used the public key of that personal certificate. Otherwise, the single sign-on configuration cannot work if the public key is not compatible with the new default personal certificate.
- Signer certificate
-
A digital trust certificate that is generated and provided by the service provider, and it is specific to the target application account or instance.
The signer certificate contains the public key that is associated with the personal certificate of the target application. The signer certificate validates and trusts the issuer of the certificate. Verify uses this certificate to validate the signed SAML authentication request that it receives from the target application and to indicate that Verify trusts the target application.
If the service provider signs its SAML authentication request, it provides its signer certificate. You can typically get the signer certificate details from the service provider metadata. Import it in Verify before you configure SAML single sign-on for the target application.
If the service provider does not sign its SAML authentication request, it does not provide a signer certificate.
You can add several signer certificates.Note: When you add a SAML enterprise identity provider, its signer certificate is automatically imported in the page.