Managing Certificates in Policy Manager
A summary of how Policy Manager manages different types of certificates, including certificates generated by Policy Manager, Trusted CA (Certificate Authority) Certificates stored in the Policy Manager trust store, and user and listener certificates.
Table of Contents
- Overview
- Policy Manager as a Certificate Authority
- Trusted CA Certificates: the Policy Manager Trust Store
- User and Listener Certificates
- Certificate Renewal
Overview
Policy Manager offers the following options for managing certificates, in Configure > Security > Certificates:
- Certificate Authority: Information about the platform as a Certificate Authority. See Policy Manager as a Certificate Authority.
- Trusted CA Certificates: The Policy Manager trust store, which includes certificates from trusted Certificate Authorities such as Verisign. See Trusted CA Certificates: the Policy Manager Trust Store.
- Certificate Renewal: Allows you to configure a custom email to be sent to a user when the user certificate is about to expire or has expired. See Certificate Renewal.
Policy Manager as a Certificate Authority
In the Policy Manager Certificates page, you can review and manage information relating to the built-in Certificate Authority offered by the platform
Navigation: Configure > Security > Certificates > Certificate Authority.
On this page you can:
- Manage CDP Options
- Regenerate CA Certificate
- Renew CA Certificate
- Import CA Certificate
- Generate CA CSR
- Export CA Certificate
- Delete CA Certificate
- Issue Certificate
Trusted CA Certificates: the Policy Manager Trust Store
The Policy Manager trust store is the secure repository for trusted CA certificates uploaded to the platform.
If you want the Akana platform to trust a CA that's internal to your company, or an external CA such as Digicert, you must upload the certificate to the Policy Manager Trust store, so that the platform can successfully send messages to endpoints secured by a certificate signed by the CA. For example, let's say one of your services is a proxy service to google.com. Google.com has a certificate issued by a CA. If that CA is not in the Policy Manager trust store, and you try to call the API, the platform will return an error because the endpoint is not trusted. In order for a call to a secure endpoint to be successful, the CA must be in Trusted CA Certificates.
In the Community Manager developer portal, you have the option to create an API by specifying a URL, for example for a WSDL or a Swagger document description file. If the endpoint is HTTPS, the CA that the endpoint is using must be in the Policy Manager trust store. If it is not, the platform will return an error and will not allow you to access the endpoint, since it is not secure. Part of setup is making sure that the CAs you will be using are in the trust store.
Navigation: Configure > Security > Certificates > Trusted CA Certificates.
For more information, and instructions, see Trusted CA Certificates.
User and Listener Certificates
User certificates are not shown in the Certificates section of Policy Manager, since they are assigned at the level of the individual user. To assign a certificate to a user in Policy Manager, go to Security > Users, choose the user, and click Manage PKI Keys. For information about using this wizard, including setting up the certificate details, see Manage PKI Keys.
You can view a user certificate in the context of the specific user, and a listener certificate in the context of the listener.
Certificate Renewal
The Certificate Renewal option allows you to configure a custom email to be sent when the user certificate is about to expire or has expired.
Navigation: Configure > Security > Certificates > Certificate Renewal.
In this context, the term user certificate applies to these categories of certificates:
- Certificate for a login user
- Certificate associated with a service
- Listener certificate
It does not apply to Trusted CA Certificates.
For more information, see Certificate Renewal Configuration.