11.3.8.8. Procedure – Importing certificates with external private key

Purpose: Using certificates in PKI which have private key stored in external resource. External resource can be a cryptographic token or an external file in the local filesystem (a file that is not managed by the MS)

The file being imported contains only the public parts of the certificate, CA, or CSR. The corresponding private key will be accessed from an external resource, referenced by an URI (Uniform Resource Identifier). The URI is a string which defines the path to the external resource. Currently, the following URI schemes are implemented:

  • file: the URI starts with file: and encodes a path to a local file, which stores the private key in PEM format. (e.g. file:/var/keys/userkey.pem)

  • pkcs11: the URI starts with pkcs11: and encodes an identifier to a PKCS#11 object on a cryptographic token, e.g. a key in a HSM device. (PKCS#11 is a standard that defines a platform-independent interface to cryptographic tokens, HSMs and smart cards.) The format of the URI is defined by the PKCS#11 URI scheme specification, and may vary by the type/manufacturer of the token device.

    If the PKCS#11 token requires authentication (PIN code), this can be set within the URI, or the passphrase attribute on selecting the certificate. The latter has precedence, so the passphrase will overwrite the PIN code set in URI (if exists)

Note

Certificates with external key can be used only for TLS session authentication (Encryption Policies), and can not perform operations in PKI management, such as signing other entities, refreshing certificates, etc.

To import a certificate with external key, complete the following steps.

Steps: 

  1. Click on Import on the Trusted CAs tab for importing a CA certificate, or on the Certificates tab for normal certificates.

  2. Specify the file format to be used, and select the file to be imported. The file should contain the necessary public data, but not private key data.

  3. Select the public part(s) of the certificate to be imported.

  4. Check Private key and select External button to reference an external key.

  5. Enter the URI for accessing the corresponding private key to URI for external key field.

  6. There are two ways to handle the data imported from the file: creating a new entity or appending them to an existing one.

    Creating a new entity: Select the Import as new object radio button, enter a Unique name and you can also select the Owner host of the object if needed. This method is useful especially for importing the certificates of external CAs.

    Import parts to an existing certificate: It is possible to import the part(s) contained in the file into an existing certificate entity (that is, the one that was selected before clicking on the Import button). This method should be used when importing your certificates that were signed by an external CA, so the certificate is imported to the entity containing the private key and the CSR. Select the Import into selected object radio button.

  7. Check in the Certificate available on all sites checkbox if needed.