Managing SSL Private Keys

Private keys are used in the configuration of the Asymmetric Cryptography filter and in other Rhapsody components when the Use SSL property is selected. A private key is an encrypted Personal Information Exchange (*.pfx) file and must be sourced from a recognized Certification Authority, or exported from an existing Rhapsody installation.

Viewing SSL Private Keys

To view the SSL Private Keys registered on the Rhapsody server, navigate to View>Certificate and Key Manager to display the Certificate and Key Manager and select the SSL Private Keys tab:

The tab provides the following information:

You can perform the following actions from the tab via buttons or the right-click menu:

Importing SSL Private Keys

You can import a private key and certificate pair (*.pfx file) that has previously been obtained from a recognized Certification Authority such as Microsoft®, Verisign or Thwaite, or exported from another Rhapsody installation.

To import a private key:

1. Navigate to View>Certificate and Key Manager.

2. On the SSL Private Keys tab, select the Import... button. The Import Private Key dialog is displayed:

   

3. Enter: 
   • A name in the Key Alias field to identify the key, if required.
   • The path of the key you want to import in the Filename field or click the Browse link to locate it.
   • The password to decrypt the file in the Password field.
4. Select the Import button to import the key.

Exporting SSL Private Keys

You can export a private key and certificate pair to a *.pfx file, which can then be imported into another Rhapsody server.

To export a private key:

1. Navigate to View>Certificate and Key Manager.

2. On the Private Key Management tab, select the key you want to export, and then select the Export... button. The Export SSL Private Key dialog is displayed:

   

3. Enter the password to encrypt the file.
4. Confirm your password, and select the OK button.
5. If required, change the name of the .pfx file, and select the Save button.

Generating a New Certificate and Private Key

Rhapsody can generate both self-signed and issuer-signed certificates. You can use a private key and certificate pair for:

• TCP communication points that use SSL/TLS
• HTTPS communication points
• Web service hosting
• The HTTPS connector for the Management Console

To generate a new certificate and private key pair:

1. Navigate to View>Certificate and Key Manager.

2. On the SSL Private Keys tab, select the Generate New... button (the button is only available if the engine you are connected to supports certificate generation). The Generate New Certificate dialog is displayed:

   

3. Enter the following details:

   Field	Description
   Certificate Subject Name
   Common Name	Required. The common name of the entity to which you want to issue the certificate.
   Organization Unit	Optional. The unit within the organization to which you want to issue the certificate.
   Organization	Optional. The organization to which you want to issue the certificate.
   Locality	Optional. The address of the organization to which you want to issue the certificate.
   State	Optional. The state in which the organization is located.
   Country	Optional. The country in which the organization is located.
   Certificate Parameters
   Key Algorithm	Optional. Whether DSA or RSA. The key algorithm defines the steps followed by Rhapsody to produce the encrypted file.
   Key Size (bits)	Optional. Size of the key. The size must be valid for the key algorithm, and is automatically updated when you select the Key Algorithm.
   Signature Algorithm	Optional. The algorithm you want to use to sign the certificate. It helps verify that the data has not been changed after it is signed, thus providing message integrity. The signature algorithm is automatically updated when you select the Key Algorithm.
   Expiry Date	Required. The expiry date you select must be in the future. If you do not select an expiry date, the certificate is set to expire within one year of creation, by default.
   Sign using existing private key	Optional. If you want to sign the certificate using a key from the Rhapsody certificate store, select this checkbox, then click the Select Private Key link to locate the key. You can sign certificates with an existing key only if you have the appropriate access rights.
   Certificate DNS Names
   Enter the DNS names to include in the certificate (one per line)	Optional.
   New Certificate Location
   Filename	Required. Click the Browse link to select the location to which you want to save the certificate and private key.
   Password	Required. The password you want to use to encrypt the generated PKCS#12 file containing the private key and password.
   Confirm	Required. Confirm your password.

4. Select the Generate button to generate the certificate and private key. If successful, a dialog is displayed with the following message:
   The certificate and private key were successfully saved to <filename>. Import the private key into Rhapsody's certificate store?

   You are prompted to import the private key into Rhapsody only if you have the 'Edit certificates and keys' access right.

   If you select the Yes button, the Import SSL Private Key dialog is displayed. Enter a name to identify the private key, then select the Import button.

Removing a Certificate and Private Key

Deleting a private key automatically deletes the certificate associated with the private key.

To delete a certificate and private key pair:

1. Navigate to View>Certificate and Key Manager.
2. On the SSL Private Keys tab, select the key you want to remove.

3. Select the Remove button. A confirmation is displayed with the following message:
   The certificate associated with this private key will be automatically removed when you remove the private key. Are you sure you want to delete private key "<name>" from the server?

4. Select the Yes button to remove the key (you can undo the deletion by selecting the Undo Remove button).