CIC uses certificates and keys to establish identity and provide security.
Use the Keys & Certificates page to do the following:
- view a list of certificates and keys
- view detailed information about a selected item
- import, export, and delete items.
- replace keys and certificates
- generate keys and certificates
Viewing a list of keys and certificates
The Keys & Certificates page provides a list of keys and certificates currently installed on your CIC system. You can control which items are displayed on the page using filtering criteria. See Filtering the list.
The Keys & Certificates page contains three tabs:
- Private Keys & Certs
- Public Keys & Certs
- Trusted Server Certs
The Public and Private tabs display the following information for each item on the list. The Trusted Server tab displays only the Status, Name, Expiration Date, and Last Updated columns.
Column | Description |
---|---|
Status | Possible values:
|
Type | Possible values:
|
Name | Used to identify a certificate or key.
Click this value to display more information about the certificate or key. See Viewing detailed information. |
Used By | List of Endpoints that use the certificate or key.
Click a value in this column to display information about the Endpoints that use this item. If used by a single Endpoint, the Endpoint is opened in Edit mode. See Editing Endpoints. If used by more than one Endpoint, a list of Endpoints is displayed in a modal dialog box. If you click an Endpoint in the dialog box, that Endpoint is opened in Edit mode. If an Endpoint will (but does not yet) use the certificate or key after a scheduled replacement, it displays this icon. |
Scheduled Replacement |
Date and time the certificate or key will be replaced. See Scheduling Key or Certificate Replacements. |
Expiration Date | Date and time the certificate or key expires. |
Last Updated |
Date and time the certificate or key was last updated. |
Filtering the list
You can control what is displayed on the list by specifying filtering criteria available on the left side of the page. When you specify a value for one or more of the filter attributes, the list is updated accordingly.
Note: Filters you apply are retained when you leave the page and subsequently return to it.
Specifying filtering criteria
As you type in the Name and Used By filter fields, CIC displays any values that match the string you type and you can select the value you want at that point.
Entries in drop-down menus are restricted to the values available on the page. For example, if you select a value from the Name field, only partners who use that certificate and key will be available in the Used By field.
If you choose to filter on the Expiring attribute, you can specify a timeframe in days.
Filters currently applied are displayed at the top of the list. You can click the X on any of these to remove a single filter or you can click Clear All to remove all filters.
Viewing detailed information
Click on the name of a certificate or key to display detailed information about the selected item.
If there is a certificate chain associated with the selected certificate, information about the chain is displayed. You can click the links in the chain to view details about certificates in the chain.
Deleting certificates and keys
You can delete one or more items directly from the list by selecting the items' checkboxes and clicking the Trash icon.
Alternatively, you can select an item from the list to display its details and then click the Trash icon.
Note: You can only delete certificates and keys that are not currently in use.
Importing certificates and keys
You can import certificates and keys by either selecting one from your local system or by pasting the cert or key directly into a text-entry area in CIC.
- Click the Import button.
- Select an option from the drop-down menu.
Note: The options available for importing are different for each of the tabs (Private Keys & Certs, Public Keys & Certs, and Trusted Server Certs). - Choose the method you want to use to import the key or certificate.
- Paste text in the text box, and, if necessary, specify a password.
- Upload a file, click Browse, and navigate to your file. Select the file and click Open.
- Click Verify. CIC tests the key or certificate for validity and expiration (if applicable).
- If the key or certificate is successfully verified, the Import button is enabled and you can click it to complete the process.
Exporting certificates and keys
You can export certificates and keys to your local system.
- From within the list, click the name of a certificate or key to display detailed information about it.
- Click the Export button. CIC opens the item in a dialog box.
- Click Copy to Clipboard or Download.
Replacing Keys and Certificates
You can replace keys and certificates directly from within CIC Cockpit.
Note: This functionality is valid only for certificates and PGP keys.
- Click the certificate or key name in the Name column to view detailed information.
- Expand the Replace certificate area of the Information pane.
- Optional: Click the "all usages" link to display a list of the Endpoints that use this certificate or key. Click Done to return to the Information pane.
- Click "select certificate", choose a replacement certificate from the displayed list and click Select.
- Click Replace Now. Your certificate is replaced immediately.
Alternatively, click Schedule replacement and choose a date a time when the replacement for the certificate or key should occur. See Scheduling Key or Certificate Replacements.
Scheduling Key or Certificate Replacements
When you click the Schedule Replacement toggle in the Information pane, this dialog box is displayed.
To schedule key or certificate replacement:
- Select a date and time when you want the replacement to occur.
- Optionally, for certificates, select the Replace on first usage checkbox. See About Replace on First Usage below for important information.
- Click Done.
About Replace on First Usage
For certificates, you can use the Replace on first usage feature. Selecting this feature prompts CIC to replace the certificate when it is detected in use before the scheduled replacement time. This allows trading partners to begin using a new certificate as soon as it is scheduled and eliminates the need for both sides to update their configuration at a coordinated time.
Note: If you are replacing a certificate for an OFTP Endpoint, Replace on first usage should not be selected and does not work properly when the certificate being replaced is the trading partner's public certificate and is being used for session authentication.
Generating Keys and Certificates
You can generate keys and certificates directly from within CIC Cockpit.
- Click the Add button.
- Select from the following and specify required values:
- Click Generate.
The key or certificate appears in the list of keys or certificates as appropriate.
Generate Certificate & Private Key
Provide values for the following:
Attribute | Description |
---|---|
Certificate Name | Used to identify the certificate. Certificate names must be unique per tenant. |
Distinguished Name |
Required. A set of keys and values that describe the certificate owner. You must use the correct syntax when you provide this value. See Specifying a Distinguished Name. |
Type | Select RSA or DSA. |
Key Size | For RSA certificates, choose from 512, 1024, 2048, 3072, or 4096. For DSA certificates, choose from 512, 1024, or 2048. 2048 is the default for both RSA and DSA certificates. |
Signing Algorithm | Choose from MD5, SHA-1, SHA-256, SHA-384, or SHA-512.
Default value is SHA-256. MD5 is not available for DSA certificates. |
Valid for | The number of months that this certificate will be valid. Default value is 24 months. |
Usage | Used to indicate the intent of the certificate. Choose from Signing and Encryption. You can choose either, both, or neither. |
Specifying a Distinguished Name
The Distinguished Name is a set of keys and values that describe the certificate owner.
Here's a list of keys and their meanings:
Key | Meaning |
---|---|
DC |
domainComponent |
CN |
commonName |
OU |
organizationalUnitName |
O |
organizationName |
STREET |
streetAddress |
L |
localityName |
ST |
stateOrProvinceName |
C |
countryName |
UID |
userid |
The following rules must be followed when specifying a Distinguished name.
- At least one key-value pair must be provided, but no specific pair is required.
- The key-value pairs must be entered as
Key=Value
with no spaces between theKey
,=
, andValue
. However, the value itself can contain spaces. For example:- Correct:
CN=My Company
- Incorrect:
CN = My Company
- Correct:
- You can use the following special characters:
,
=
+
<
>
#
;
. Special characters must be escaped using a\
(single backslash). The following is an example of an escaped comma in an organization name:CN=My Company,O=Last Name\, First Name,C=US
If there are any errors processing the Distinguished Name, the character position is shown in the error message below the field.
Generate SSH Private Key
Provide values for the following:
Attribute | Description |
---|---|
SSH Key Name | The display name to identify the key. |
Type | Choose from the following: ECDSA, ED25519, DSA, or RSA. |
Key Size | For ECDSA keys, choose from 256, 384, or 512.
For ED25519 keys, only 256 is available. For DSA keys, choose from 1024 or 2048. For RSA keys, choose 512, 1024, 2048, 3072, or 4096. |
Generate OpenPGP Secret Key
Provide values for the following:
Attribute | Description |
---|---|
OpenPGP Key Name | The display name to identify the key. |
Name (Optional)
Email (Optional) |
Used to form the User ID of the key.
If both are specified, the User ID is If only one is specified, it is used by itself. If neither are specified, the User ID is a randomly generated uuid. |
Type | Select RSA or DSA. |
Key Size | For RSA certificates, choose from 512, 1024, 2048, 3072, or 4096.
For DSA certificates, choose from 512, 1024, or 2048. 2048 is the default for both RSA and DSA certificates. |
Valid for | The number of months that this certificate will be valid. Default value is 24 months. |
Comments
0 comments
Please sign in to leave a comment.