Import Trusted Certificates and Key/Certificate Pairs

Federation Manager Guide › Keys and Certificates for Secure Federated Communication › Import Trusted Certificates and Key/Certificate Pairs

Import Trusted Certificates and Key/Certificate Pairs

Federation Manager uses a private key, certificate, or key/certificate pair for a number of functions:

Signing/verification of assertions
Signing/verification of authentication requests (SAML 2.0 only)
Signing/verification of single logout requests and responses (SAML 2.0 only)
Encryption/decryption of an entire assertion or part of an assertion (SAML 2.0)
Client credentials across the back channel for Artifact single sign-on

For importing only a trusted certificate, use a file containing the certificate in a PEM or DER encoding. The standard extension for files of these types is *.crt or *.cer. If the file ends in .p12 or .pfx, it is processed as a key store file containing key/certificate pairs. Finally, if a file ends in .p7 or .p7b it is processed as a signed response file. Anything else is treated as a certificate file, and Federation Manager tries to load a certificate from it.

You can update certificates in the following ways:

Update an expiring trusted certificate by importing a new trusted certificate, as long as the new and the old certificate has the same public key values.
For a key/certificate pair, update the certificate by importing a signed trusted certificate or a PKCS7-signed response as long as the public keys match.
Update a certificate with a certificate from a PKCS#12 file if the public and private keys match.

The new certificate must be valid before Federation Manager can use it to update an expiring certificate. Certificates are updated and become available after the policy engine synchronizes with the key store, which occurs every hour by default. If the new certificate is not valid, as determined by its validity interval, Federation Manager cannot use the new certificate.

You do not have to update any other objects, such as partnerships and entities that use the expiring certificate.

Note: To synchronize the policy engine with the key database immediately after you add or update a new certificate, restart the Federation Manager services. Otherwise, the changes to the key database are not available until the policy engine and key database synchronize. The amount of time for the policy engine and key database to synchronize depends on the configured frequency. You can modify database updates by adjusting the DBUpdateFrequencyMinutes parameter in the smkeydatabase.properties file.

If you do not have a key/certificate pair in the Federation Manager key database, you have two options:

Import a key/certificate pair from an existing file (.p12 or .pfx).
Generate a key/certificate pair.
To generate a new key/certificate pair, you request a certificate from a trusted Certificate Authority then import the signed certificate response returned by the authority.

Instructions for this method are described later in this chapter.

More information:

Generate a Certificate Request

Import a Signed Certificate Response

Email CA Technologies about this topic