Creating and installing signature certificates

This section describes signature certificates, which are used for non-repudiation and for verifying the signer.

Inbound signature certificate

The Document Manager uses the participant's signed certificate to verify the sender's signature when you receive documents. The participants send their self-signed signature certificates in X.509 DER format to you. You, in turn, install the participants' certificates through the Community Console under the respective participant's profile.

To install the certificate, use the following procedure.

  1. Receive the participant's X.509 signature certificate in DER format.
  2. Install the certificate through the Community Console under the participant's profile.
    1. Click Account Admin > Profiles > Community Participant, and search for the participant's profile.
    2. Click Certificates.
    3. Click Load Certificates.
    4. Select Digital Signature as the type of certificate.
    5. Type a description of the certificate (which is required).
    6. Change the status to Enabled.
    7. Click Browse and navigate to the directory in which you have saved the certificate.
    8. Select the certificate and click Open.
    9. Click Upload and then click Save.
  3. If the certificate was signed by a CA and the CA root certificate and any other certificates that are part of the certificate chain are not already installed in the Hub Operator profile, install the certificates now.
    1. Click Account Admin > Profiles > Certificates to display the Certificate List page.

      Make sure you are logged in to the Community Console as the Hub Operator, and install the certificate in your own profile.

    2. Click Load Certificate.
    3. Select Root and Intermediate.
    4. Type a description of the certificate (which is required).
    5. Change the status to Enabled.
    6. Click Browse and navigate to the directory in which you have saved the certificate.
    7. Select the certificate and click Open.
    8. Click Upload and then click Save.
    Note: You do not have to perform the previous step if the CA certificate is already installed.
  4. Enable signing at the package (highest level), participant, or connection level (lowest level). Your setting can override other settings at the connection level. The connection summary will inform you if any required attribute is missing.

    For example, to alter the attributes of a participant connection, click Account Admin > Participant Connections and then select the participants. Click Attributes and then edit the attribute (for example, AS Signed).

Outbound signature certificate

The Document Manager uses this certificate when it sends outbound, signed documents to participants. The same certificate and key are used for all ports and protocols.

You can have more than one digital signature certificate. One is the primary certificate, which is the one used by default. The other is a secondary certificate, which is used if the primary certificate expires or is otherwise unable to be used.

Using a self-signed certificate

If you are going to use a self-signed certificate, use the following procedure.

  1. Start the iKeyman utility.
  2. Use iKeyman to generate a self-signed certificate and a key pair.
  3. Use iKeyman to extract to a file the certificate that will contain your public key.
  4. Distribute the certificate to your participants. The preferred method for distribution is to send the certificate in a zipped file that is password protected, by e-mail. Your participants must call you and request the password for the zipped file.
  5. Use iKeyman to export the self-signed certificate and private key pair in the form of a PKCS12 file.
  6. Install the self-signed certificate and private key pair in the form of a PKCS12 file through the Community Console.
    1. Click Account Admin > Profiles > Certificates to display the Certificate List page.

      Make sure you are logged in to the Community Console as the Hub Operator.

    2. Click Load PKCS12.
      Notes:
      1. The PKCS12 file being uploaded should contain only one private key and the associated certificate.
      2. You can also upload the certificate and private key as a DER-encoded certificate and PKCS#8-encoded private key.
    3. Select Digital Signature as the type of certificate.
    4. Type a description of the certificate (which is required).
    5. Change the status to Enabled.
    6. Click Browse and navigate to the directory in which you have saved the certificate.
    7. Select the certificate and click Open.
    8. Enter a password.
    9. If you have two digital signature certificates, indicate whether this is the primary or secondary certificate by selecting Primary or Secondary from the Certificate Usage list.
    10. Click Upload and then click Save.
  7. Repeat step 6 if the participant has a second signature certificate.

If you are uploading primary and secondary certificates for both SSL client authentication and digital signature and you are uploading the primary certificates as two separate entries, make sure that the corresponding secondary certificates are uploaded as two different entries.

Using a CA-signed certificate

If you are going to use a certificate signed by a CA, use the following procedure:

  1. Start the iKeyman utility.
  2. Use iKeyman to generate a certificate request and a key pair for the Receiver.
  3. Submit a Certificate Signing Request (CSR) to a CA.
  4. When you receive the signed certificate from the CA, use iKeyman to place the signed certificate into the key store.
  5. Distribute the signing CA certificate to all participants.

Copyright IBM Corp. 2003, 2005