Managing certificates

Certificates are used to sign, validate, encrypt, and decrypt various objects such as SAML assertions and OAuth and OpenID Connect JSON Web Tokens (JWT).

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator.
Note: If a CA signed certificate is used, all the intermediate and root cert in the chain needs to be imported into IBM Security Verify truststore. The CA signed certificate should have a valid CRL defined, and the CRL site should be accessible.

About this task

Verify uses the following certificates:
Personal certificate

A digital trust certificate that a client or server gives to other clients or servers for authentication.

The personal certificate contains both a signer certificate or public key and a private key for signing and encrypting data.

The identity provider always signs its SAML authentication response. When you configure SAML single sign-on, you must provide the service provider with the signer certificate or public key component of the personal certificate. This information validates the identity of the identity provider. The signer certificate or public key of the personal certificate is automatically populated in the Applications > Sign-on instructions.

The certificate is also used to sign ID tokens for OIDC single sign-on applications.

Verify includes a personal certificate. However, this certificate is intended only for demonstration, proof of concept, or proof of technology purposes. Do not use the supplied certificate in a production environment. Add a different personal certificate during the initial Verify setup.

You can add several personal certificates but you must always have one certificate:
  • With Friendly Name set as server.
  • Set as default. Only the default certificate is used to sign the SAML authentication response.

When the default personal certificate is about to expire, make sure that you change it and then reconfigure single sign-on for the application that used the public key of that personal certificate. Otherwise, the single sign-on configuration cannot work if the public key is not compatible with the new default personal certificate.

Signer certificate

A digital trust certificate that is generated and provided by the service provider, and it is specific to the target application account or instance.

The signer certificate contains the public key that is associated with the personal certificate of the target application. The signer certificate validates and trusts the issuer of the certificate. Verify uses this certificate to validate the signed SAML authentication request that it receives from the target application and to indicate that Verify trusts the target application.

If the service provider signs its SAML authentication request, it provides its signer certificate. You can typically get the signer certificate details from the service provider metadata. Import it in Verify before you configure SAML single sign-on for the target application.

If the service provider does not sign its SAML authentication request, it does not provide a signer certificate.

You can add several signer certificates.
Note: When you add a SAML enterprise identity provider, its signer certificate is automatically imported in the Security > Certificates > Signer certificates page.
You can perform the following tasks:

Procedure

  1. Select Security > Certificates
  2. View the certificate information.
    1. Select the certificate to display the Certificate Details dialog box, which provides the following information:
      Table 1. Certificate Details
      Information Descriptions
      Friendly Name

      Also referred as the certificate alias. It is the display name. It is considered as a focused reference to the certificate instead of the Serial Number and Issuer DN.

      It must be in lowercase text. Use only alphanumeric characters.
      Certificate Type

      Identifies the certificate as personal certificate or signer certificate.
      Issuer DN The distinguished name of the entity that signed and issued the certificate. It is typically the certificate authority.

      It consists of several attribute=value pairs, which are separated by commas.

      CN: CommonName
      The fully qualified domain name for the organization.
      OU: OrganizationalUnit
      Name of the division or department in the organization.
      O: Organization
      The legal name of the organization that is registered with the appropriate city, state, or country/region authority.
      L: Locality
      The city where is the organization address.
      ST: StateOrProvinceName
      The state or province where the organization is physically located.
      C: CountryName
      A two-character country or region code.
      Subject DN

      Subject distinguished name. The name of the entity to whom the certificate is issued.

      It consists of several attribute=value pairs, which are separated by commas.
      Valid From

      The beginning date on which this certificate is valid. Certificates are only valid for a specific time. The certificate authority sets and starts the certificate validity period when it signs the certificate.

      The specified date depends on the local date and time settings.
      Expires On The certificate is not valid after this date.

      The specified date depends on the local date and time settings.
      Serial Number A unique identifier to distinguish the certificate from other certificates that the certificate authority issued.
      Fingerprints
      A digest algorithm to identify the certificate. The algorithm that is used to hash the public key certificate and for signing outgoing SAML 2.0 messages.
      • SHA-1
        Note: SSL certificate issuers deprecated this algorithm from January 2016.
      • SHA-256
      Default Certificate

      Indicates whether it's the default certificate.

      The default personal certificate cannot be edited or deleted.
      Signature algorithm The hashing and encryption algorithm of the certificate.
  3. Add a personal certificate.
    1. Select Add personal certificate. The Add Personal Certificate dialog box is displayed.
    2. Browse for the PKCS#12 (.p12), or the PKCS#8 (.p8) file. Alternatively, drag it in the drop area.
      Note: Only RSA certificates are supported in the PKCS#12 file format, and only ECDSA certificates are supported in the PKCS#8 file format.
      The name of the Selected File is displayed.
    3. Specify the following information for the new certificate:
      Table 2. Add personal certificate dialog box
      Information Description
      File Password Required only for .p12 files.

      Password to decrypt and install the certificate file.
      Friendly name Required for .p8 files, but optional for .p12 files.

      A label for the certificate.
      Default Certificate Indicates whether it's the default certificate.
      Note: Only .p12 certificates can be used as a default certificate.
    4. Select OK.
  4. Add a signer certificate.
    1. Select Add signer certificate. The Add signer certificate dialog box is displayed.
    2. Browse for the .pem file or drag it in the drop area.
      The name of the Selected File is displayed.
    3. Specify the Friendly Name for the new certificate. See Table 1 for details.
    4. Select OK.
      The certificate is displayed in the Signer Certificates section. It is also added as a value for the Service Provider Signer Certificate in the Applications > Sign-on page.
  5. Delete a personal certificate or signer certificate.
    1. Choose from one of the following options:
      • Hover over the certificate that you want to delete and select the Delete icon.
      • Select the certificate.
    2. Select Delete.
    3. Confirm that you want to permanently delete the selected user or users.