Creating and installing signature certificates
This section describes signature certificates, which are
used for non-repudiation and for verifying the signer.
Inbound
signature certificate
The Document Manager uses the participant's signed
certificate to verify the sender's signature when you receive
documents. The participants send their self-signed signature certificates
in X.509 DER format to you. You, in turn, install the participants' certificates
through the Community Console under the respective participant's profile.
To install the certificate, use the following procedure.
- Receive the participant's X.509 signature certificate
in DER format.
- Install the certificate through the Community Console under
the participant's profile.
- Click Account Admin > Profiles > Community Participant,
and search for the participant's profile.
- Click Certificates.
- Click Load Certificates.
- Select Digital Signature as the type of
certificate.
- Type a description of the certificate (which is required).
- Change the status to Enabled.
- Click Browse and navigate to the directory
in which you have saved the certificate.
- Select the certificate and click Open.
- Click Upload and then click Save.
- If the certificate was signed by a CA and the CA root certificate
and any other certificates that are part of the certificate chain
are not already installed in the Hub Operator profile, install the
certificates now.
- Click Account Admin > Profiles > Certificates to
display the Certificate List page.
Make sure you are logged in to the Community Console as the
Hub Operator, and install the certificate in your own profile.
- Click Load Certificate.
- Select Root and Intermediate.
- Type a description of the certificate (which is required).
- Change the status to Enabled.
- Click Browse and navigate to the directory
in which you have saved the certificate.
- Select the certificate and click Open.
- Click Upload and then click Save.
Note: You do not have to perform the previous step if
the CA certificate is already installed.
- Enable signing at the package (highest level), participant,
or connection level (lowest level). Your setting can override other
settings at the connection level. The connection summary will inform
you if any required attribute is missing.
For
example, to alter the attributes of a participant connection, click Account Admin > Participant Connections and
then select the participants. Click Attributes and
then edit the attribute (for example, AS Signed).
Outbound
signature certificate
The Document Manager uses this certificate when it sends
outbound, signed documents to participants. The same certificate
and key are used for all ports and protocols.
You can have more than one
digital signature certificate. One is the primary certificate, which
is the one used by default. The other is a secondary certificate,
which is used if the primary certificate expires or is otherwise
unable to be used.
Using a self-signed certificate
If you are going to use a self-signed certificate, use
the following procedure.
- Start the iKeyman utility.
- Use iKeyman to generate a self-signed certificate and a key
pair.
- Use iKeyman to extract to a file the certificate that will contain
your public key.
- Distribute the certificate to your participants. The preferred
method for distribution is to send the certificate in a zipped file
that is password protected, by e-mail. Your participants must call
you and request the password for the zipped file.
- Use iKeyman to export the self-signed certificate and private
key pair in the form of a PKCS12 file.
-
Install the self-signed certificate and
private key pair in the form of a PKCS12 file through the Community
Console.
- Click Account Admin > Profiles > Certificates to
display the Certificate List page.
Make sure you are logged in to the Community Console as the Hub
Operator.
- Click Load PKCS12.
Notes:
- The PKCS12 file being uploaded should contain only one private
key and the associated certificate.
- You can also upload the certificate and private key as a DER-encoded certificate
and PKCS#8-encoded private key.
- Select Digital Signature as the type of
certificate.
- Type a description of the certificate (which is required).
- Change the status to Enabled.
- Click Browse and navigate to the directory
in which you have saved the certificate.
- Select the certificate and click Open.
- Enter a password.
- If you have two digital signature certificates, indicate whether
this is the primary or secondary certificate by selecting Primary or Secondary from
the Certificate Usage list.
- Click Upload and then click Save.
- Repeat step 6 if the
participant has a second signature certificate.
If you are uploading primary and secondary certificates for both
SSL client authentication and digital signature and you are uploading
the primary certificates as two separate entries, make sure that
the corresponding secondary certificates are uploaded as two different
entries.
Using a CA-signed certificate
If you are going to use a certificate signed by a CA,
use the following procedure:
- Start the iKeyman utility.
- Use iKeyman to generate a certificate request and a key pair
for the Receiver.
- Submit a Certificate Signing Request (CSR) to a CA.
- When you receive the signed certificate from the CA, use iKeyman
to place the signed certificate into the key store.
- Distribute the signing CA certificate to all participants.
