Configure System Settings - Key Store

The Key Store page provides access to the contents of the Validation Authority key store. You can download key/key pair and create PKCS#10 certificate requests signed by Validation Authority.

Download Public Key or Certificate

Important: In a production environment, it is often necessary to use certificates issued by a certificate authority.

  1. From the Configuration page, click Key Store.

    Validation Authority maintains 3 asymmetric key pairs and their associated certificates:

    • Signature key - To sign SCVP and OCSP responses.

    • Audit log key - To sign audit log entries.

    • SSL key - Used as the SSL Server key of Validation Authority when handling inbound SSL connections and as the SSL Client key of Validation Authority when establishing mutually authentication outbound SSL connections.

    Validation Authority also maintains a symmetric key for the purpose of enciphering sensitive data such as passwords.

  2. To download the selected public key in DER-encoded format, click public key to the right of the name of a key pair.

  3. To download the associated certificate in PEM (Base64-encoded) format, click certificate to the right of the name of a key pair.

Create a Certificate Request

During initial configuration, Validation Authority typically generates new key pairs and corresponding self-signed certificates. In order for a certificate authority to issue a certificate to Validation Authority, you must create a PKCS#10 certificate request and submit it to the certificate authority for signing.

The certificate request contains one of the public keys (signature key, audit log key, or SSL key) for Validation Authority, a distinguished name that identifies your organization, and the signature of Validation Authority proving that it holds the corresponding private key. Once the certificate is issued, it must be imported into the key store of Validation Authority.

By default, Validation Authority identifies itself using self-signed certificates when signing OCSP responses, signing audit log entries, and for authenticating SSL connections. You can configure Validation Authority to delegate responsibility for providing its identity by using certificates issued by a certificate authority. This delegation is called delegated trust.

For each certificate issuer registered using the Register Certificate Issuer page, you can use a unique delegated OCSP signing certificate that was signed by that CA for signing OCSP responses.

When generating response lists for a certificate issuer, the delegated OCSP signing certificate issued by that CA will be included in the OCSP responses. If you have not registered a delegated OCSP signing certificate for a CA, the default OCSP signing certificate will be included.

Alternatively, you can configure Validation Authority to import OCSP signing certificates from LDAP certificate data sources. In this configuration, configure the CA to reissue the OCSP signing certificate(s) periodically. You create the OCSP signing certificate request only once unless you want to change the subject name that identifies Validation Authority. The CA reissues the certificates periodically using the same static request.

  1. From the Sign request with drop-down list, select the key pair for which the request should be generated.

  2. Enter a Subject distinguished name (DN) to identify Validation Authority.

    For OCSP signing certificates, you can obtain this information from the Name portion in the Details for Certificate Issuers page.

  3. To prevent relying parties from checking the status of the responder's certificate, select the OCSP PKIX No Check option.

    The OCSP PKIX No Check extension can be used for signing certificates in order to simplify OCSP validation. The OCSP PKIX No Check extension will be included in the certificate you are requesting.

  4. To enable the CSR to be generated with encoding of DN as Printable String format instead of default UTF8 String format, select the Enable Printable String for whole DN option.

    For example:

    CSR generated before enabling :

    OpenSSL> asn1parse -in C:\Softs\asymmetric-key-feature-test\x500-sign.req
13:d=3 hl=2 l= 21 cons: SET
15:d=4 hl=2 l= 19 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :streetAddress
22:d=5 hl=2 l= 12 prim: UTF8STRING :VASANT NAGAR

    CSR generated after enabling :

    OpenSSL> asn1parse -in C:\Softs\asymmetric-key-feature-test\x500-sign.req
13:d=3 hl=2 l= 21 cons: SET
15:d=4 hl=2 l= 19 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :streetAddress
22:d=5 hl=2 l= 12 prim: PRINTABLESTRING :VASANT NAGAR

  5. Click Generate PKCS #10 Certificate Request. A new browser window is displayed with the certificate request. Save the contents of the page for submission to the Certificate Authority.

    Note: Because a certificate request is a binding between one of the public keys of Validation Authority and a distinguished name, it is not necessary to generate a new certificate request each time you wish to have a new certificate issued to the same key pair of Validation Authority. As long as the keys and the name are the same, you can submit the same certificate request repeatedly or to multiple certificate authorities.

  6. Copy this entire text for submission to a Certificate Authority. Make sure that you include the BEGIN and END lines.

    The following is a sample:

    -----BEGIN CERTIFICATE REQUEST-----
MIIBtTCCAR4CAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkNvcmVTdHJlZXQx
KzApBgNVBAMTIkV4YW1wbGUgT0NTUCBSZXNwb25kZXIgQ2VydGlmaWNhdGUwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOIJzWIbcO1OkHlV2Tg5xoRzI/joGdAw
d/d6xJOmtqvZKtdvSANntN8igU3yX0EfWlinNkI/dHbEqj470wxxRkLGoJthULoZ
wN329VFoT83hCHZum8Q7J0PJ1qiqsZ1mcxC2W3adyPWwS4syKqG2aL87etCzTIIZ
/7p777oaXlUrAgMBAAGgJjAkBgkqhkiG9w0BCQ4xFzAVMBMGA1UdJQQMMAoGCCsG
AQUFBwMJMA0GCSqGSIb3DQEBBQUAA4GBAIbA5aV1LYFwEfeIc/l2KUBW9D3OtSE/
wguphRdq4cS5i6dO7ufqjJVvMZoPth9I6gV3YwjQjv1L2kBy1xaUOwBtNfR5Yda3
LnscgpOQT/3RMJ7guC5jGTpZ8mqJBttyGY/3pvOgQSkmhpnphYjSCL8xV7fE4Jrs
zC4CvYsEZ9FI
-----END CERTIFICATE REQUEST-----

  7. Repeat this procedure for each registered certificate issuer if you want to use a separate OCSP signing certificate.

Update the Key Store

On the Update Key Store page, you can import certificates that have been issued to Validation Authority by a certificate authority or to regenerate the self-signed certificates of Validation Authority. You can import the certificate that you had a Certificate Authority create on behalf of Validation Authority. This operation does not change the keys used by Validation Authority.

  1. To update a key store, click Update Key Store.

  2. You can either enter the path for the certificate or chain in the respective field, or click Browse to locate the certificate you want to upload.

    Note: Any parts of the key store associated with the Import fields left blank will not be modified.

  3. Click Update Key Store to save the changes. Restart Validation Authority in order to use the updated SSL certificate.

    Alternatively, click Cancel to return the Key Store page, without generating a new key store.

Asymmetric Signature Key Renewal

On the Asymmetric Signature Key Renewal page, operator can schedule automatic replacement of the Asymmetric Key Signature which is used for signing OCSP responses. For more information, refer to Create a Certificate Request.

To enable auto import certificate,

  1. Go to Configuration >> configure Asymmetric Signature Key Renewal.

  2. Select the Enabled check box.

  3. If the Validation Authority is installed in Windows, then the operator can either use one of the below options:

    • Select the Windows Certificate Store check box, if the certificates are getting stored in the Windows certificate store.

    • Select the Directory to locate the Validation Authority path where the certificates are stored.

  4. If the Validation Authority is installed in RHEL, then the operator can select the Directory to locate the Validation Authority path where the certificates are stored.

  5. Enter the common prefix name in the Asymmetric Signature file prefix field as explained below:

    • Windows Certificate Store - Prefix should contain either the certificate CN substring or complete certificate CN.

    • Directory – Prefix should match with the certificate file name.

For example, if the certificate is getting renewed with the subject DN : CN=vadevcert1, DC=vadev, DC=org then, Operator can set the prefix name as vadev.

Note: If certificates stored in the Windows certificate store or Validation Authority path have the same prefix name, Asymmetric Signature Key Renewal will import the latest certificate based on the most recent date.

  1. Click Update Configuration to save the changes. Alternatively, click Revert Changes to return, without configuring the auto import.

  2. Make sure the Asymmetric Signature Key Renewal job is configured and started, For more details, refer Administrator Operations - Jobs.

Regenerate Self-Signed Certificates

Important: In the absence of certificates issued by a CA, Validation Authority uses self-signed certificates to identify itself. To regenerate the self-signed certificates with a new distinguished name, click the update key store link on the Key Store page and complete the Regenerate Self-Signed Certificate form on the Update Key Store page. This does not change the keys used by Validation Authority.

  1. From the Regenerate certificate signed by drop-down list, select the type of certificate to be regenerated.

  2. In the Certificate distinguished name (DN) field, specify the name. For example, to regenerate the SSL certificate to specify the host name properly (such as CN=myhost.mycorp.com).

  3. Specify the Certificate validity period.

  4. Click Regenerate Self-Signed Certificate to create the selected certificate and return you to the Key Store page.

    Alternatively, click Cancel to return to the Key Store page without generating a new self-signed certificate.

A regenerated SSL certificate will not be used until you restart Validation Authority. Regenerated signature and audit log certificates will be used immediately.