Add a Private Key and Certificate Pair

Federation Manager Installation and Upgrade Guide › Key Tool Reference › Add a Private Key and Certificate Pair

Add a Private Key and Certificate Pair

Use the addPrivKey option to import only a private key/certificate pair into the certificate data store. Consider the following items:

You can have multiple private key/certificate pairs in the store, but SiteMinder supports only RSA keys in the store.
Only private key/certificate pairs are stored in encrypted form.
A Policy Server at a producing authority:
- Uses a single private key/certificate pair to sign SAML assertions.
- Uses the certificate to decrypt encrypted SAML assertions received from the consuming authority.
Typically, the key is the first private key/certificate pair found in the certificate data store.
Delete the certificate metadata from the certificate file before importing it. Import only the data starting with the --BEGIN CERTIFICATE-- marker and ending with the --END CERTIFICATE-- marker. Be sure to include the markers.

Arguments for this option include the following:

-accessLegacyKS

Specifies that the option applies to the legacy smkeydatabase. If you do not supply this argument, the option applies to the r12.5 certificate data store.

-alias alias

Required. Assigns an alias to a private key/certificate pair in the database. The alias must be a unique string and can contain only alphanumeric characters.

-certfile cert_file

Specifies the full path to the location of the certificate that is associated with the private key/certificate pair. Required for keys in PKCS1, PKCS5, and PKCS8 format.

-keyfile private_key_file

Specifies the full path to the location of the private key file. Required for keys in PKCS1, PKCS5, and PKCS8 format.

-keycertfile key_cert_file

Specifies the full path to the location of the PKCS12 file that contains the private key/certificate pair data. Required for keys in PKCS12 format.

-password password

(Optional) Specifies the password that was used to encrypt the private key/certificate pair when the pair was created. Supply this password to decrypt the key/certificate pair before it gets written to the certificate data store.

Note: This password is not stored in the certificate data store.

After the key/certificate pair is decrypted and placed in the certificate data store, SiteMinder encrypts the pair again using its own password.