CA SiteMinder® Federation Standalone Guide › Key and Certificate Management › How to Send Certificates to Your Partner

How to Send Certificates to Your Partner

The partner that signs a message has to send the associated certificate (public key) to the other partner so that partner can verify the message.

The partner that encrypts a message has to receive the certificate (public key) to from the partner expected to decrypt the message.

The procedure for sending the required certificate file to a partner depends on whether the key/certificate pair is already in the CDS.

The following figure shows the steps for sharing certificate files.

Follow these steps:

1. Generate a new key/certificate pair.
2. Import the key/certificate pair into the CDS.
3. Export the certificate from the CDS to a file.
4. Send the certificate file to your partner.

Generate a New Key/Certificate Pair Using the UI or a Third-party Tool

If you do not have a key/certificate pair in the certificate data store, request one from a trusted Certificate Authority. When the CA returns a signed certificate response, import it into the certificate data store.

Generate a certificate request using the Administrative UI or using a third-party tool.

When you create a request using the Administrative UI, CA SiteMinder® Federation Standalone generates a private key and a self–signed certificate pair. CA SiteMinder® Federation Standalone stores this pair in the certificate data store. Using the generated request, contact a Certificate Authority and fill out the CA certificate request form, pasting the contents of the generated request into the form.

The CA issues a signed certificate response, usually in PKCS #7 format. You can import the signed certificate response into the certificate data store. After the signed certificate response is imported, the existing self–signed certificate entry of the same alias is replaced.

Follow these steps:

1. Log in to the Administrative UI.
2. From the Certs & Keys tab, select Certificate and Private Keys.
3. Click Request Certificate.
4. Complete the required fields.

   Note: Click Help for a description of fields, controls, and their respective requirements.

5. Click Save.

A file that conforms to the PKCS #10 specification is generated.

The browser prompts you to save or open the file, which contains the certificate request. If you do not save this file (or open it and extract the text), CA SiteMinder® Federation Standalone still generates the private key and self–signed certificate pair. Generate a new certificate signing request, using the Generate CSR feature, to get a new request file for the private key.

Import the Key/Cert Pair into the CDS

The procedure for importing the key/certificate pair varies. Refer to the appropriate procedure:

• Import a key/cert pair from an existing file.

  You have a local file on your system.

• Import a signed certification response.

  If you generated a key/certificate pair from the Administrative UI, import the certificate from the signed response sent by the Certificate Authority.

Import a Key/Certificate Pair from an Existing File

If you do not have a key/certificate pair in the certificate data store, import one from an existing .p12 or .pfx file.

CA SiteMinder® Federation Standalone treats a certificate that you import as a trusted certificate. The exceptions are self-signed certificates:

• If the system identifies a V3 self-signed certificate as a CA certificate, the certificate is treated as a CA certificate. This behavior occurs even though you initiate the import from the Certificate/Private Key dialog.
• CA SiteMinder® Federation Standalone treats the certificate as a trusted certificate:
  • If CA SiteMinder® Federation Standalone does not identify a V3 self–signed certificate as a CA.
  • If the certificate is a V1 self–signed certificate.

Follow these steps:

1. Log in to the Administrative UI.
2. From the Certs & Keys tab, select Certificates and Private Keys.

   The View Certificates and Private Keys dialog opens.

3. Click Import New and follow the wizard.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

   Be aware of the following items as you complete the wizard:

   • You can import a single file with a key and certificate in it or separate key and certificate files. Select the appropriate option button for the file you are using.
   • To import a self-signed certificate as a Certificate Authority certificate, set the Use as CA option button to Yes. The certificate is imported as a CA certificate and is not available for when configuring partnerships (for example, for signing or encryption).

     Otherwise, accept the default No setting to import the certificate as a trusted certificate that is available when configuring partnerships.

   • For a trusted certificate file in DER (binary) format, the file can contain one or more certificate entries. For a trusted certificate file in PEM (base 64) format, CA SiteMinder® Federation Standalone expects one certificate per file.

     The standard extension for a file in DER or PEM format is *.crt or *.cer.

   • If you are using a .p12 file, you are required to fill in a password. CA SiteMinder® Federation Standalone processes a .p12 or .pfx file as a file containing key/certificate pairs.
   • For each entry you plan to add to the certificate data store, enter the alias you want to associate with that entry. If you select multiple entries, each requires a unique alias.
4. At the Confirm step, review the information and click Finish.

The key/certificate pair is imported into the certificate data store.

Import a Signed Certificate Response

After completing a certificate request and sending it to the Certificate Authority, the Certificate Authority issues a signed certificate response.

Import the signed certificate into the certificate data store to replace the existing self-signed certificate entry of the same alias.

Follow these steps:

1. From the Certs & Keys tab, select Certificate and Private Keys.

   The View Certificates and Private Keys dialog opens.

2. Search for the self-signed entry with the same alias.
3. Select Action, Update Certificate next to the entry that contains the self-signed certificate.

   The wizard for importing certificates and keys displays.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Browse to the file you want. You can use a:
   • .p7 or .p7b file that contains the signed certificate and the corresponding certificate chain.
   • .cer or .crt file (base64 PEM file) with the signed certificate without the certificate chain.
5. Select the appropriate entry.
6. At the Confirm step, review the certificate information and click Finish.

The signed certificate is imported into the certificate data store and the self-signed certificate is replaced.

Export Certificates from the CDS using the Administrative UI

You can export a private key/certificate pair to a file and send the certificate file (public key) to your federation partner. The partner can use the certificate to verify the signature of assertion responses created with the associated private key or encrypt a response to be decrypted with the associated private key.

Important! If you export the private key as part of a backup, never share it with anyone else.

Follow these steps:

1. Log in to the Administrative UI.
2. From the Certs & Keys tab, select Certificates and Private keys.

   The View Certificates and Private Key window displays.

3. Select Action, Export for the entry in the Certificate and Private Key List you want to export.

   The Export Key Store Entry dialog displays.

4. Select the format of the file you want to create from the exported data.

   Note: Click Help for a description of fields, controls, and their respective requirements.

5. Select the file format.
6. Click Export.

   You are prompted to open or save the file on the local system.

   CA SiteMinder® Federation Standalone generates the encoded file content representing the key or certificate.

7. Send the file to your partner.

Send the Certificate File to your Partner

After exporting the encoded file with the certificate, send this file to your federation partner. Your partner has to import this certificate to handle verification or encryption of federation messages.