Exporting a Signing Key Pair

After you have created the signing key pair, you export the key pair to a disk to store on the SAML extension server.

To export the key pair object:

  1. Double-click or right-click the key pair object and click Properties. This launches the key pair's property page, as shown in Figure 77:

    Figure 77
    Key Pair Properties

  2. Click the Certificates tab, and select Public Key Certificate. A property page similar to Figure 78 is displayed:

    Figure 78
    Public Key Certificate Property Page

    Verify that the Subject Name, Effective, and Expiration dates are the same as those you entered during the certificate creation process.

  3. To export the key pair object, click Export.

    A wizard page is displayed, as shown in Figure 79:

    Figure 79
    Key Pair Wizard Page

  4. Because you are exporting the public-private key pair, leave the Yes default selected.

    Selecting Yes exports the public and private key in password-protected PKCS#12 format. This is what you must move to the SAML extension server.

    If you want to export only the public key certificate, select No.

    Selecting No exports only the public key. You provide this to your public sites later.

  5. Click Next.

    Figure 80
    Filename Wizard Page

  6. Specify your desired filename. The password you enter on this page is important because it is required when you configure the SAML extension server to use the key pair.

  7. Click Finish.


Setting the PKCS#12 Signature Key on the SAML Extension Server

To import the signature key file into the SAML extension server for use:

  1. Copy the PKCS#12 file exported in the previous section (see Exporting a Signing Key Pair) to the local drive of the SAML extension server.

    Ideally, this would be in the same directory as the samlextConfig.xml file.

  2. Modify the SAML Extension server configuration file to point to this file.

    When you installed SAML extension, a configuration file was automatically generated. This file is located at samlext_home/samlext_home/config/samlextConfig.xml. If no key pairs were specified during the install, the configuration file should look similar to Figure 81:

    Figure 81
    SAML Extension Configuration File

  3. Modify the signature keypair element with usage signing to include the filename and password of the PKCS#12. In this example, the file is modified to read as shown in Figure 82:

    Figure 82
    Modified Configuration File

    In this example, it is assumed that you copied the exported PKCS#12 file to the SAML extension server as c:\mysig_keypair.pfx using novell as the password.

    NOTE:  After editing the samlextConfig.xml file, you must restart Tomcat.