Friday, 11 December 2015

WebSphere DataPower Renewing a Certificate with an Existing Key


Question

Is it possible to renew a soon to be expired certificate with its existing key?

Cause

Certificate expiration and need to renew.

Answer

Yes, this can be done. Private keys never expire.
The first step is to navigate to Administration -> Miscellaneous -> Crypto Tools, and once on this web page select all the radio buttons (including "Export Private Key", "Generate Self-Signed Certificate", "Export Self-Signed Certificate", "Generate Key and Certificate Objects") and set them to "off".
Next specify the "Using Existing Key Object" field with the key object name and setting the Validity Period field to the desired value. A new CSR (Certificate signing request) will be generated where it can be submitted to a CA (Certificate Authority) ex. Verisign - in establishing the new certificate.



Generating keys and certificates

You can generate a private cryptographic key and optionally a self-signed certificate from the Crypto Tools page. The Certificate Signing Request (CSR) needed by a certificate authority (CA) is created by default.
If the file is stored in the cert: directory, it cannot be edited. If a file is stored in the local: directory or in the temporary: directory, it can be edited.
To generate a key:
  1. Click Administration → Miscellaneous → Crypto Tools.
  2. Define the LDAP entry.
    1. Set LDAP (reverse) Order of RDNs to indicate whether to create the LDAP entry in reverse RDN order.
      on
      Creates the entry in reverse RDN order.
      off
      (Default) Creates the entry in forward RDN order.
    2. Optional: In the Country Name (C) field, enter a country name.
    3. Optional: In the State or Province (ST) field, enter a state name or a province name.
    4. Optional: In the Locality (L) field, enter a locality name.
    5. Optional: In the Organization (O) field, enter the name of an organization.
    6. Optional: In the Organizational Unit (OU) field, enter the name of an organizational unit.
    7. Optional: In the Organizational Unit 2 (OU)Organizational Unit 3 (OU), and Organizational Unit 4 (OU) fields, enter the names of additional organizational units.
    8. In the Common Name (CN) field, enter a common name.
  3. From the RSA Key Length list, select the key length. This defaults to 1024.
  4. In the File Name field, enter the name of the key file to generate. The value takes the directory:///name form. Leave blank to allow the action to create the name.
  5. In the Validity Period field, enter the number of days that the key is valid.
  6. In the Password field, enter a password to access the key file. The password must be at least six characters in length.
  7. In the Password Alias field, enter a password alias to access the key file.
  8. |On HSM-equipped appliances, set Private Key Exportable via hsmkwk to indicate |whether the key can be exported with the HSM key-wrapping-key. |The default value is off.|
    |
    Note:
    ||
    On Type 7199 appliances, |you must select on or the operation |will fail. The ability to do a subsequent export of the key cannot |be disabled.
    |
    |
    |
    on
    |
    Indicates that the key can be exported.|
    |
    off
    |
    (Default) Indicates that the key cannot be exported.|
    |
  9. Set Export Private Key to indicate whether the action writes the key file to the temporary: directory.
    on
    Writes the key file to the temporary: directory.
    off
    (Default) Does not write the key file to the temporary: directory.
  10. Set Generate Self-Signed Certificate to indicate whether the action creates a self-signed certificate that matches the key.
    on
    (Default) Creates a self-signed certificate.
    off
    Does not create a self-signed certificate.
  11. Set Export Self-Signed Certificate to indicate whether the action writes the self-signed certificate to the temporary: directory.
    on
    (Default) Writes the self-signed certificate to the temporary: directory.
    off
    Does not write the self-signed certificate to the temporary: directory.
  12. Set Generate Key and Certificate Objects to indicate whether the action automatically creates the objects from the generated files.
    on
    (Default) Creates the objects from the generated files.
    off
    Does not create the objects from the generated files.
  13. In the Object Name field, enter the name to use for the Key object and for the Certificate object. Leave blank to allow the action to generate the names from the input information (based on the Common Name (CN) or File Name property).
  14. On HSM-equipped appliances, set Generate Key on HSM to indicate whether to create the key on the HSM.
    |on
    |Creates the key on the HSM.|On Type 9235 appliances, |the file name (URL) for the key has the hsm://hsm1/name format.
    |On Type 7199 appliances, the file name (URL) for the |key has the hsm://hsm2/name format.
    off
    Creates the key on the appliance. The file name (URL) for the key has the cert:///name format.
  15. In the Using Existing Key Object field, enter the name of an existing key. If supplied and valid, the action generates a new certificate and a new Certificate Signing Request (CSR) that is based on the key in the identified Key object. In this case, the appliance does not generate a new key.
  16. Click Generate Key to generate a private key and, if requested, a self-signed certificate. A CSR is created automatically.
  17. Follow the prompts.
The CSR can be submitted to a certificate authority (CA) to receive a certificate that is based on this private key. This action creates the following files and objects:
  • Creates the private key file in the cert: directory; for example, cert:///sample-privkey.pem
  • Creates the CSR in the temporary: directory; for example, temporary:///sample.csr
  • If Generate Self-Signed Certificate is enabled, creates a self-signed certificate in the cert: directory; for example, cert:///sample-sscert.pem
  • If Export Self-Signed Certificate is enabled, creates a copy of the self-signed certificate in the temporary: directory; for example,temporary:///sample-sscert.pem
  • If Generate Key and Certificate Objects is enabled, creates a Key object and a Certificate object
If the action creates a self-signed certificate, you can use this certificate-key pair for the following purposes:
  • Establish Identification Credentials
  • Encrypt or decrypt XML documents