Creating a certificate database

Edit online

To create a certificate database with the local management interface, use the SSL Certificates management page.

Procedure

  1. From the menu, select System > Secure Settings > SSL Certificates.
  2. From the menu bar, click New.
  3. On the Create SSL Certificate Database page, enter the name of the certificate database that you want to create. The name of the certificate database name must be unique.
  4. Select the type of the certificate database.
    • If you select Local as the type, you can go to Step 5.
    • If you select Network as the type, complete the following fields:
      1. On the Main tab, complete the Token Label and Passcode fields.
      2. Select the HSM type.
        • If you select nCipher nShield Connect as the HSM type, complete the following fields:
          1. On the HSM tab, the HSM IP Address field for the primary HSM device is required. The rest of the fields are optional. You can also provide details of a secondary HSM device. The secondary device can be used for load balancing and failover.
          2. On the RFS tab, if you select Automatic, enter the address of the remote file system that stores the key files. The rest of the fields are optional. If you select Manual Upload, click Browse to select the .zip file that contains the needed key files. The contents of the .zip file are extracted and stored on the local file system.
            Note:
            • The nCipher nShield Connect integration is only available if you first install the 'IBM® Verify Identity Access nCipher nShield Connect HSM Extension'. This extension is available for download from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/).
            • If the files in the remote file system are changed and you selected the Manual Upload option, you must manually upload an updated .zip file. The updated .zip file overwrites existing file entries but does not delete missing file entries.
        • If you select SafeNet Luna SA as the HSM type, complete the IP Address and Admin Password fields on the SafeNet tab.
          Note: The SafeNet integration is only available if you first install the 'IBM Verify Identity Access SafeNet Luna Network HSM Extension'. This extension is available for download from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/). You can then use the appliance to manage the certificates that are contained on the HSM device. However, some operations, such as certificate extract, are not supported.
        • If you select SafeNet Luna High Availability as the HSM type, compete the SafeNet Keystore List, Recovery Mode, Retry Count and HA Log Size fields on the SafeNet High Availability tab.
          Note: SafeNet High Availability is only available if you first install the 'IBM Verify Identity Access SafeNet Luna Network HSM Extension'. This extension is available for download from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/). You must configure one or more SafeNet devices before a High Availability group can be configured.
  5. Click Save.
    Note: For the changes to take effect, they must be deployed as described in Configuration changes commit process.
    Note: Changes to HSM keystores do not trigger restarts of Verify Identity Access components like changes to local databases do. If an HSM keystore is modified, then any components that are using the modified keystore must manually be restarted or reloaded for the changes to take effect.