Trusted CA Certificates

Learn how to view, configure and manage Trusted CA Certificates.

Table of Contents

About Trusted CA Certificates

A trusted CA certificate is a certificate generated by a Certificate Authority, an external third-party company that is qualified with a specified level of trust.

Trusted CA Certificates that are imported into Policy Manager are displayed in the Configure > Security > Certificates > Trusted CA Certificates section, on the Trusted CA Certificates Summary page.

There are two basic categories of certificates in the Policy Manager trust store:

  • Container certificates—Added automatically as a container gets registered or provisioned. When you register a Network Director or provision a container, the certificate for the container is automatically created and added to the trust store.
  • Trusted CA certificates—Whether it's Network Director, Policy Manager, or the Community Manager developer portal, when the platform reaches out to a secure endpoint, for the call to be successful, the CA must be in the Policy Manager trust store. This could include a self-signed certificate: for example, in a scenario where an internal application is accessing internal APIs.

You can manually add a CA certificate to the Policy Manager trust store in these ways:

Certificate expiration—For information about the alerts that are generated when certificates in the Trust Store are getting close to their expiration dates, or have expired, see Managing Certificate Expiration.

Notes:

  • Trusted CA certificates are used when an identity is being validated as the entity it claims to be.
  • Certificates imported into Policy Manager must be issued by a Trusted CA Authority.
  • Trusted CA Certificates must be configured prior to importing X.509 certificates for Service, User, Container, or Management Console operations.
  • The alias name in the Trusted CA Certificates allows a name to use a maximum length of 64 characters. The alias name can only include alphanumeric characters.

Add Trusted CA Certificates (CER or DER)

If you want to add a new Trusted CA Certificate to the set that is already in the Policy Manager vault, you must create a Java keystore file that has all the Trusted CA Certificates plus the new one that you want to add to the Policy Manager vault.

For example, if the Policy Manager vault has trusted certificates A, B and C, and you want to add certificate D, the Java keystore file used during the update process must have certificates A, B, C and D.

Note: As a prerequisite for configuring outbound HTTPS certificates, Trusted CA Certificates must be present. A default set of Trusted CA Certificates are added when the "Policy Manager Services" feature is installed using the Akana Administration Console. The "Policy Manager Console" feature must also be installed in order to access the Trusted CA Certificates functions through the Policy Manager Management Console.

To add a trusted CA certificate (CER or DER)

  1. Go to Configure > Security > Certificates > Trusted CA Certificates. The View Trusted CA Certificate page is displayed.
  2. Click Add Trusted CA Certificate. The Add Trusted CA Certificate screen displays.
  3. Click Browse, and upload the certificate file (CER or DER format).
  4. Click Apply. The certificate is added to the Policy Manager keystore.

Import Trusted CA Certificates from Keystore

Import Trusted CA Certificates into Policy Manager.

Notes:

  • Certificates imported into Policy Manager must be issued by a Trusted CA Authority.
  • Trusted CA Certificates must be configured prior to importing X.509 certificates for Service, User, Container, or Management Console operations.
  • Imported Trusted CA Certificates will be displayed on the Trusted Certificates Summary screen.

To import a trusted CA certificate from a keystore

  1. Go to Configure > Security > Certificates > Trusted CA Certificates. The View Trusted CA Certificate page is displayed.
  2. Click Import Trusted CA Certificates from Keystore.
  3. Click the Java or PKCS12 radio button.
  4. Do one of the following:
    • Enter the Keystore Path to the keystore file that contains Trusted CA Certificates to be imported into Policy Manager directly into the "Keystore path" field.
    • Click Browse to navigate to the directory where the keystore that contains Trusted CA Certificates to be imported into Policy Manager is stored.
  5. In the Keystore Password field, enter the password and confirm it.
  6. Click Finish. The Trusted CA Certificate is added to the Policy Manager keystore.

View Trusted CA Certificates

View summary details for the currently selected Trusted CA Certificate.

  1. Go to Configure > Security > Certificates > Trusted CA Certificates. The View Trusted CA Certificate screen displays.
  2. Click View CA Trusted Certificate.

    The View Trusted CA Certificate screen displays, including the following attributes:

    • Public Key—Value provided by some designated authority as an encryption key that, combined with a private key derived from the public key, can be used to encrypt messages and digital signatures.
    • Issuer Distinguished Name (DN)—Includes key identifier information including, geographical identifiers (for example, country, state, province), organization and organizational unit.
    • Subject Distinguished Name (DN)—Includes key identifier information including but not limited to certificate name, organization and organization unit, and geographical identifiers (for example, country, state, province).
    • Serial Number—Represents the serial number assigned by the issuer of the certificate. The Issuer Name and the Serial Number must match the Certificate Authority key identifier of the current certificate.
    • Effective Date—Represents the date that the certificate became active.
    • Expiration Date—Represents the date that the certificate expires.
  3. Click Cancel to exit.

Delete Trusted CA Certificates

When you import a Trusted CA Certificate, all the Trusted CA Certificates in the Policy Manager vault are overwritten by the certificates that are in the Java keystore file being used. Based on this, if you want to delete a certificate from the set of Trusted CA Certificates that are in the Policy Manager vault, you must have a Java keystore file that has all the Trusted CA Certificates except the one that you want to delete from the Policy Manager vault, and use that Java keystore file during the update process.

For example, if the Policy Manager vault has Trusted CA Certificates A, B and C, and you want to delete certificate B, then the Java keystore file used during the update process must have certificates A and C.

To delete a trusted CA certificate

  1. Go to Configure > Security > Certificates > Trusted CA Certificates. The View Trusted CA Certificate screen displays.
  2. Click on the line item for the Trusted Certificate you want to delete.
  3. Click Delete.
  4. At the confirmation message, click OK.

Export Trusted CA Certificates

Save a trusted CA certificate as a .CER or .DER certificate file. These certificate files can then be installed and used in other applications.

To export a trusted CA certificate

  1. Go to Configure > Security > Certificates > Trusted CA Certificates. The View Trusted CA Certificate screen displays.
  2. Click Export Trusted CA Certificate.
  3. Save the certificate file based on your browser requirements.

Trusted CA Certificate Renewal

For information about managing alerts and notifications for all types of certificates, see Managing Certificate Expiration.