25.7 Creating Keystores and Trust Stores

A keystore is storage file containing keys, certificates, and trusted roots. Access Manager agents can access them to retrieve certificates, keys, and trusted roots as needed. A trust store is a keystore containing only trusted roots. Intermediate CAs and end entity public certificates can be part of a trust store.

Access Manager comes with predefined stores for certificate management. However, in certain situations you might need to create a keystore or trust store. For example, if you are using JBoss keystore certificates that you need to import into Access Manager, you must create a keystore and assign it to the JBoss agent. It is probable that the keystore already exists on the JBoss file system, as created and configured by JBoss. Creating it again through Access Manager does not delete the existing keystore. This does allow Access Manager to recognize the existing keystore and add or remove the certificates. Access Manager cannot manage certificates that were created before the keystore is created in Access Manager.

The easiest way to create a keystore is to do so when you are adding the certificate to the keystore. If you want to create a trust store, the steps are identical, except you select trusted roots from the Trusted Roots page, rather than the certificates from the Certificates page.

A keystore stores only one certificate at a time. When you replace a certificate, you overwrite the existing one.

  1. In the Administration Console, click Certificates.

  2. Import the certificate, if you have not done so already. See Section 24.3, Importing a Private/Public Key Pair.

  3. Click the certificate name.

  4. In the Certificate Details page, click Add Certificate to Keystores...

  5. On the Add Certificate to Keystores dialog box, click the Select Keystore button to browse for key stores.

  6. On the Keystore page, click New.

    Creating a new key store

  7. Fill in the following fields:

    Keystore name: Specifies the name of the keystore. This maps to a name that the server communication recognizes to identify the keystore on the device.

    Keystore type: Specifies whether to use Java, PEM, or PKCS12.

    Keystore password: Specifies the password to revise the keystore settings.

    Device: Specifies the device (by IP) to which you assign the keystore. The device can be an Identity Server or SSL VPN. You cannot assign one keystore to multiple devices.

    Directory: Specifies the directory where PKCS12 or PEM files are stored.

    For example, /var/opt/novell/keystores/.

    File: Specifies the path and filename of the Java keystore (JKS).

    For example, /var/opt/novell/keystores/myKeystore.keystore.

    Description: Describes the keystore.

  8. Click OK.

    This creates the keystore.

  9. (Optional) On the Keystore page, you can assign a certificate to the new keystore by selecting the store’s check box.

  10. Click OK in the Add Certificate to Keystores dialog box.