15.0 Creating Certificates

Access Manager comes with certificates for testing purposes. The test certificates are called test-signing, test-encryption, test-provider, test-consumer, and test-connector. At a minimum, you must create two SSL certificates: one for Identity Server test-connector and one for Access Gateway reverse proxy. Then you replace the predefined certificates with the new ones.

If you install a secondary Administration Console, the certificate authority (CA) is installed with the first instance of eDirectory, and the secondary consoles have eDirectory replicas and therefore no CA software. All certificate management must be done from the primary Administration Console. Certificate management commands issued from a secondary Administration Console can work only if the primary console is also running properly. Other commands can work independently of the primary console.

IMPORTANT:Before generating any certificates with Administration Console CA, ensure that time is synchronized within one minute among all of your Access Manager devices. If the time of Administration Console is ahead of the device for which you are creating the certificate, the device rejects the certificate.

  1. Click Security > Certificates.

  2. Select from the following actions:

    New: To create a new certificate, click New. For information about the fields you need to fill in, see Section 15.1, Creating a Locally Signed Certificate and Section 15.4, Generating a Certificate Signing Request.

    Delete: To delete a certificate, select the certificate, then click Delete. If the certificate is assigned to a keystore, a warning message appears. You must remove a certificate from all keystores before it can be deleted.

    Import Private/Public Keypair: To import a key pair, click Actions > Import Private/Public Keypair. For more information, see Section 16.6, Importing a Private/Public Key Pair.

    Add Certificate to Keystores: To add a certificate to a keystore, click Actions > Add Certificate to Keystore. For more information, see Section 16.2, Adding a Certificate to a Keystore.

    NOTE:To use external OAuth signing certificate, you must add the certificate to the Signing keystore.

    View Certificate Details: To view certificate details, renew a certificate, or export keys, click the name of the certificate. For more information, see Section 16.1, Viewing Certificate Details.