Certificates pages

To manage certificates for communities and partners you work in the Certificates page.

To open the Certificates page, click the Certificates icon located on the navigation graphic at the top of the community or partner summary page.

The pages for the certificates of communities and partners are different, but have some of the same information. You open the certificate pages the same way for both a community and a partner: by clicking Certificates on the navigation graphic at the top of a community or partner summary page.

Use the certificates page to:

• View a list of all certificates for a community or partner.
• View detailed information about certificates.
• Open the certificate wizard to generate or import a key pair and certificate for a community.
• Export a certificate and public key to a file for transmittal to your partners.
• Import a partner’s certificate.
• Delete a certificate.
• Designate a different certificate as the default used by a community or partner.
• Manage PGP certificates, if your user license supports PGP.

Community certificates page

The Certificates page for communities has the following tabs:

Personal certificates tab

The personal certificates tab displays:

• The default certificate for signing documents (if any).
• The default certificate for encrypting documents.
• The default certificate for use in authenticating SSL connections (see SSL authentication).
• A list of all certificates associated with the community along with state, usage and expiration dates of each certificate.

• The displayed certificates also are known as end-entity certificates. In the case of CA-issued certificates, end-entity certificates have a chain of trust that includes intermediate and root CA certificates. In the case of a self-signed certificate, it is both the end-entity and root certificate.
• If the community has more than one certificate, you can select another as the default certificate and click Save changes.

The Default signing certificate field displays the default signing certificate for the community. If the community has more than one certificate with either digitalSignature or nonRepudiation usage specified (or both), you can select another certificate from the drop-down list as the default certificate and click Save changes.

The State column displays one of the following certificate states for each certificate:

• Operational – The certificate is valid and can be used. This state only means the certificate can be used, not that it is in use. Activator rejects an outbound message when packaging is attempted with an expired or revoked certificate.
• Expired – The certificate is past its validity period and no longer can be used.
• Revoked – A certificate authority has invalidated the certificate and it no longer can be used.
• Pending – The certificate is not yet valid, usually because it is before the date that begins the certificate's validity period.
• Failed – The certificate is corrupted and cannot be used, usually due to an error while importing it to the certificate store.

The Usage column displays the usage that was selected for the certificate during certificate creation:

• Encryption – The certificate is only used for keyEnciperment.
• Non-repudiation – The certificate is only used for nonRepudiation.
• Signing – The certificate is used for digitalSignature and not used for keyEncipherment.
• Encryption and signing – The certificate is used for keyEncipherment and at least one of nonRepudiation and digitalSignature.

Trusted roots certificates tab

The Trusted roots certificates tab displays the roots of partners certificates that a community trusts. In the case of a self-signed certificate, the trust is for the certificate itself, as a self-signed certificate is a root certificate. In the case of a certificate authority certificate, the trust is for the root certificate in the chain of trust of a partner's certificate. By default, the system trusts root certificates when end-entity partner certificates are imported.

• You can elect not to trust a root certificate by clicking Untrust to the right of the root certificate name. If you do untrust, the system no longer recognizes the end-entity partner certificate as valid. This could affect many end-entity partner certificates. You cannot restore trust on this tab. To trust the roots again, import the partner end-entity certificate or the root certificate. The easier method is importing the end-entity certificate, as the system trusts the root by default.
• A single CA might be listed multiple times on the tab, because each has multiple roots, each with unique fingerprints under which it issues certificates. To view the fingerprints, select a root and review the MD5 and SHA1 fingerprints on the details tab. By comparing fingerprints you can choose to trust some but not all of a CA's certificates.
• To import a trusted root, click Add a trusted root certificate and see Import certificates for partners.
• Trusted SSL root certificates tab – The trusted SSL root certificates tab displays the trusted roots of partners' certificates that, when presented by partners, enable the partners to connect to the community's SSL servers that require client authentication. For an explanation of trusted roots and the consequences of untrusting, see Trusted roots certificates tab. See SSL authentication.
• To import a trusted root, click Add a trusted root certificate for SSL servers on the certificates page and see Import certificates for partners.

SSH keys tab

The SSH keys tab displays the public keys within private keys a community has imported. Private key data are not displayed because that would compromise security. SSH keys are used for public-private key pair authentication or host-based authentication for Secure FTP (SFTP) delivery exchanges that support encrypting data over a Secure Shell (SSH).

PGP personal certificates tab

The PGP personal certificates tab displays the default certificate, if any, for signing and encrypting documents. It also lists all PGP certificates associated with the community. If the community has more than one certificate, you can select another as the default certificate and click Save changes. This tab displays only if your user license supports PGP. For more information, see PGP secure trading.

Partner certificates page

The partner certificate page displays the default certificate, if any, for encrypting documents. It also lists all certificates associated with the partner along with state, usage and expiration dates.

The displayed certificates also are known as end-entity certificates. In the case of CA-issued certificates, end-entity certificates have a chain of trust that includes intermediate and root CA certificates. In the case of a self-signed certificate, it is both the end-entity and root certificate. The trusted roots of partner end-entity certificates are displayed on the trusted root certificate tabs of the communities that trust them.

If the partner has more than one certificate, you can select another as the default certificate and click Save changes.

Valid certificate states are:

• Operational – The certificate is valid and can be used. This state only means the certificate can be used, not that it is in use.
• Expired– The certificate no longer can be used.
• Revoked – A certificate authority has invalidated the certificate and it no longer can be used.
• Pending – The certificate is not yet valid, usually because of a difference between the valid date and time in the certificate and the host clock.
• Failed – The certificate is corrupted, usually due to an error while importing it to the certificate store.

PGP certificates – If your user license supports PGP, the PGP certificates tab displays the default certificate, if any, for encrypting documents. It also lists all PGP certificates associated with the partner. If the partner has more than one certificate, you can select another as the default certificate and click Save changes. See PGP secure trading for more information about PGP certificates.

View certificate information

You can view information about a certificate for a community or partner. Open the certificates page by clicking Certificates on the navigation graphic at the top of the community or partner summary page. Click the name of a certificate to open the information page, which consists of multiple tabs.

If you change anything, click Save changes.

The following topic explains the tabs on the certificate information page.

Certificate field descriptions

The following describes the fields on the certificate tabs.

General tab

• Name – A user-defined name for a certificate. Naming the certificate can help identify the community or partner it belongs to.
• Immediately below the Name field, one or more messages might be displayed. Such messages provide information about the certificate's status. Possible messages are:
  • This is the default signing certificate – Indicates that the certificate is the default for signing documents.
  • This is the default encryption certificate – Indicates that the certificate is the default for encrypting documents.
  • This is the default SSL certificate – Indicates that the certificate is the default certificate submitted to servers to authenticate your identity. See SSL authentication.
• Intended usage – Describes the functions that the certificate can perform. The intended usage does not mean the certificate is being used for that purpose, only that it can be:
  • Signing (digitalSignature)
  • Non-repudiation (nonRepudiation)
  • Encryption (keyEncipherment)
• State – Indicates whether the certificate can be used. Valid states are:
  • Operational – The certificate is valid and can be used. This state only means the certificate can be used, not that it is in use.
  • Expired – The certificate no longer can be used.
  • Revoked – A certificate authority has invalidated the certificate and it no longer can be used.
  • Pending – The certificate is not yet valid, usually because of a difference between the valid date and time in the certificate and the host clock.
  • Failed – The certificate is corrupted, usually due to an error while importing it to the certificate store.
• Subject – The name of person or entity who was issued the certificate.
• Issuer – The name of the person or entity that issued the certificate. If the issued to and by names are the same, the certificate is self-signed.
• Valid from – The date range the certificate is valid.
• Certificate path – If a CA certificate, the certificate path or chain of trust for the certificate appears. This field does not apply to self-signed certificates. A chain of trust or certificate chain is an ordered list of certificates that includes the certificate of the end-user and certificates of the issuing CA. A trusted root is a public key that is verified as belonging to an issuing CA, which is called a trusted third party.

Details tab

The X.509 standard defines the information displayed on the Details tab.

• Version – The version of the X.509 standard that applies to the certificate.
• Issuer – The issuer is the X.500 distinguished name of the CA or entity that signed the certificate. In cases of a self-signed certificate, the issuer and subject are the same. Using the certificate implies trusting the signer.
• Serial number – The serial number uniquely identifies the certificate. The CA or entity that issued the certificate assigned this number. If the issuer revokes a certificate, it can place the serial number on a certificate revocation (CRL) list.
• Subject – The subject is the X.500 distinguished name of the entity whose public key the certificate identifies. A distinguished name has the following parts:
  • C — Two-letter ISO country code
    L — City or locality name
    O — Organization name
    OU — Organizational unit
    CN — Common name of a person
• Valid to – The date the certificate expires, provided it is not compromised or revoked before that date.
• Valid from – The date the certificate became valid.
• Signature algorithm – The algorithm the CA used to sign the certificate.
• Public key information – An algorithm identifier that specifies the public key crypto system this key belongs to and any associated key parameters, such as key length.
• Public key – The public key of the certificate.
• MD5 and SHA1 fingerprints – Fingerprints are a way to verify the source of a certificate. After you import or export a certificate, you can contact your partner and ensure the fingerprints at both ends are identical. Do this before attempting to exchange documents. If the fingerprints do not match, one of the certificates might be corrupted or out of date.
• Key usage – Identifies the purpose of the key in the certificate, such as encipherment, digital signature or certificate signing.

Trusts tab

The Trusts tab identifies the communities and SSL servers that trust the certificate.

Related topics

• Manage certificates
• Certificates search results page
• Add a certificate
• Set up certificates for a community
• Generate self-signed certificates
• Import Entrust certificate
• Import RSA Keon certificate
• Import key pair in certificate file
• Import certificates for partners
• Export a certificate to a file
• Globally prohibit exporting private keys
• Delete certificate
• Manage certificate revocation lists (CRLs)
• Analyze certificates for errors
• Collect data about certificates