Your Cleo product provides the ability to select local or partner certificates on a per trading partner basis that can be activated for use immediately or at a scheduled time in the future.
In addition, trading partners using non CEM-capable AS2 or AS3 protocols will automatically be able to take advantage of the "first-usage" features for scheduled local encryption certificates and scheduled partner signing certificates. See Exchanging certificates with your trading partner.
To schedule new certificates for future use for one or more trading partners:
- Go to the My Certs or the Trading Partner Certs panel.
- Select the certificate you want to schedule for future use.
- Select the Schedule Certificates For Future Use command option and click Proceed...
The Schedule Local Certificates dialog box displays.
- Select one or more new certificates. You can browse to a new certificate or specify a certificate explicitly for the following:
- Signing Certificate Alias
- Encryption Certificate Alias
- SSL Client Certificate Alias
- SSL Server Certificate Alias
- Add the correct private key password to the appropriate Password field.
- Select the appropriate options:
- Select Use Signing Certificate to choose the same certificate for Signing and Encryption or deselect this option to use different certificates for Signing and Encryption.
- The SSL Client Certificate Alias and Password fields will only be enabled if an SSL Client certificate had been previously selected for the trading relationship. To override selection of these fields, Schedule SSL Client Certificate may be selected or deselected as desired.
- The SSL Server Certificate Alias and Password fields will only be enabled if the associated secure port for this protocol (in this case HTTP/s) has been enabled in the Local Listener. To override selection of these fields, Schedule SSL Server Certificate may be selected or deselected as desired.
- Select the desired Activation Date and Time from pull-down lists or specify your own date (in the form: 'yyyy/mm/dd') and time (in the form: hh:mm or hh:mm:ss).
- If you are scheduling a certificate for use with PGP partner packaging signing/encryption key, you can choose the Allow Overlapping Key Usage option. This option is useful when a new key has been scheduled but not yet activated and decryption of an inbound file fails using the installed key. Using this option allows your system to attempt decryption using the scheduled but not-yet-active key. Additionally, during this overlap period, outbound files are signed using both the installed and scheduled keys to avoid possible signature verification errors by the trading partner. By default, the Allow Overlapping Key Usage option is selected.
Note: Only partner packaging certificates are used when scheduling for packaging certificates even though the UI displays Local in some dialog boxes.
- Click Schedule to schedule the selected certificates for future use.
A confirmation dialog box displays.
- Click Yes to confirm that all selected certificates should be scheduled for installation and activation for the specified trading partners.
Click No to return to the Schedule Local Certificates page, where you can choose other certificates and options.
- If you confirmed certificates to be scheduled, you can choose to email the scheduled certificates to your trading partners.
- The new certificates are displayed in the panel with the current certificates and are not editable until after the scheduled certificate activation date and time or, for AS2 and AS3, your trading partner begins encrypting with the new encryption certificate.
When the activation date and time occurs, scheduled certificates are activated and an email notification is sent to the email address specified in the Admin Email Address field on the Other tab in Configure System Options panel. See Other system options.
If you scheduled a new SSL or SSH Server certificate, the new certificate is displayed in the Local Listener’s HTTP, FTP, OFTP or SSH FTP panel (depending on the specified protocol) along with the current certificate. The Certificate Alias is read-only until all partners using the same SSL/SSH protocol have scheduled the new certificate and that scheduled date has passed. Once this has occurred, the new SSL/SSH Server certificate will automatically be installed – typically, within about five minutes.
Because only one HTTP, FTP, OFTP and SSH FTP server certificate can be active at any time, the new server certificate relevant to the specified protocol is the only certificate that can be scheduled for all subsequent schedule requests for any other protocols that use the same server certificate.