Release 10.1A: OpenEdge Getting Started:
Core Business Services

Key and certificate management

One of the most important features of a PKI is how it provides for the management of asymmetric keys and public-key certificates for all entities in the enterprise that the PKI protects.

Server identity management

To establish an identity for a PKI server entity requires that the entity first create a private/public-key pair and store the private key, encrypted, in a secure storage location. The public key, with proof of the owner’s identity, must be submitted to a CA that validates the owner’s identify and, if valid, issues a digital certificate that contains the owner’s public key. The location for storing the server’s private key is commonly known as a key store.

A key store must allow the owner to manage the server’s identity securely, so that the secrecy of the private key is not compromised. At a minimum, each private key (key store entry) used to establish an identify in the key store must be individually password-protected.

Client certificate management

For clients, the utilities that support PKI interaction typically provide the functionality for storing and managing CA digital certificates used for authenticating server digital certificates. The location for storing the client’s digital certificates is commonly known as a certificate store. Each certificate in the certificate store represents a single certificate store entry. The certificate store typically allows the client to add, update, examine, remove, and restore any removed certificate store entries. As the content is public, it is not typically password-protected.

Digital certificate life-cycle management

As described earlier, digital certificates have a lifetime during which they are considered valid. When this lifetime expires, the certificate can no longer be used for authentication and must be updated to restore its validity. A certificate can also become invalid from being revoked by a CA. Common reasons for which a CA might revoke a digital certificate include a change in job status or suspicion of a compromised private key.

The CA typically provides a means to revoke digital certificates (certificate revocation). This process depends on the mechanism that the CA for each certificate makes available to communicate certificate revocation. Typically, a client that utilizes a PKI can check with the CA to update its list of revoked digital certificates so that it can fail the authentication of any revoked identities. This process can be manual or automated, depending on how the PKI is able to respond to each CA’s revocation process. At a minimum, manually removing a revoked identity from a server key store or a revoked root CA certificate from a client certificate store is sufficient to handle the revocation once it is known.