Certificate management

VersaLex provides functionality for managing digital certificates and private keys. It facilitates:

  • generating self-signed user certificates and certificate signing requests (CSRs)
  • importing/exporting user certificates/private keys
  • importing/exporting certificate authority (CA) certificates
  • marking CA certificates as either trusted or pending

When invoked through VersaLex during SSL negotiation, it also is used to:

  • provide the set of trusted CA root certificates
  • provide a selected user certificate chain

An X.509 certificate is equivalent to an ID card.  It identifies a subject (entity) and an issuer (signer). If the subject and issuer are the same, the certificate is said to be self-signed.

The certificate infrastructure includes a public/private key pair for encryption. The public key is encapsulated in the digital certificate and is shared with trading partners.  The private key is kept secret. Only the private key can be used to decrypt what has been encrypted by trading partners using the public key. A certificate and its public/private key pair can also be used as a digital signature.

Certificates are grouped into three categories:

  • User certificate: Identifies a person (client) or a computer (server). User certificates, when first generated using Certificate Manager, are self-signed.  If desired, they can be submitted to a certificate authority (CA) for signing. The CA-signed certificate then replaces the original self-signed certificate.
  • Intermediate CA certificate: Identifies a trusted certificate authority (CA) whose certificate is signed by another intermediate CA or a root CA.
  • Root CA certificate: Identifies a trusted certificate authority (CA) whose certificate is self-signed. A certificate "chain" is a series of CA-signed certificates terminated by a root CA certificate. A certificate chain consists of:
    • One CA-signed user certificate
    • Any intermediate CA certificates
    • One root CA certificate (sometimes referred to as the top level certificate)

Connecting a certificate's issuer CA to the next certificate's subject CA forms the chain. If a certificate's issuer CA cannot be found, the chain is incomplete. If a host requests the user certificate during SSL negotiation prior to a file transfer, the certificate chain, whether complete or not, is built and sent. Depending on the host, an incomplete chain may or may not affect the success of transfers.

For your convenience, VersaLex comes installed with an assortment of trusted VeriSign intermediate and root CA certificates and a trusted RSA root CA certificate.

All the certificates currently stored in Certificate Manager are listed directly under each store type (with a certificate icon). Certificate Manager builds and displays certificate chains starting in the users and trusted intermediate CA certificate stores trees. The certificates listed in these chains (with no icon) are references to a stored intermediate or root CA certificate.

If a chain is incomplete, the chain terminates with a ? Not Found and the certificates in the chain are colored orange. If the issuer CA certificate is found but the signature is not valid, the chain is also considered incomplete. If signature verification is not an issue, it can be turned off by selecting Configure > Options and clearing Check Certificate Issuer's CA Signature.

If a certificate is not yet valid or is expired, the certificate is colored red. If validity is not an issue, it can be turned off by selecting Configure > Options and clearing Check Certificate Validity Period. When a certificate or a certificate chain is colored red, orange or is marked with a  , additional tool-tip information is also provided.

The action items available at any given time from Certificates in the menu bar, the toolbar, and the right-click menus are dependent on the current selection in the tree pane.

Action items for adding a new certificate (e.g. generate user certificate, import) are enabled depending on the store type selected.

Action items for manipulating an existing certificate (e.g. generate CSR, replace, export, remove) are enabled depending on the certificate selected.

Note: The step-by-step instructions in the following sections describe the use of right-click menus. In all cases, Certificates in the menu bar provides the same selections. The toolbar provides most of the same selections.