Identity Server uses the following key pairs for secure communication. In a production environment, you should exchange the key pairs that are created at installation time with certificates from a trusted certificate authority.
Connector: The test-connector certificate is used when you establish SSL communication between Identity Server and the browsers and between Identity Server and Access Gateway for back-channel communications. It needs to be replaced with a certificate that has a subject name that matches the DNS name of Identity Server. This task is part of basic setup. See Section 20.0, Enabling SSL Communication.
Signing: The test-signing (by default) key pair is used by the various protocols to sign authentication requests, to sign communication with providers on the SOAP back channel, and to sign Web Service Provider profiles. For more information about the services that use the signing certificate, see Access Manager Services That Use the Signing Certificate.
This certificate can be stored in an external HSM keystore. For information about how to use netHSM to replace and manage this signing certificate, see Using netHSM for the Signing Key Pair.
If you want increased security, you can configure signing and encryption certificate for the service provider. For information, see Section 13.4.1, Configuring Enhanced Security for Service Provider Communications
Data Encryption: The test-encryption (by default) key pair is used to encrypt specific fields or data in the assertions. For more information about the services that use the encryption certificate, see Section 13.4.3, Viewing Services That Use the Encryption Key PairEncryption.
If you want increased security, you can configure signing and encryption certificate for the service provider. For information, see Section 13.4.1, Configuring Enhanced Security for Service Provider Communications.
To force the browser connections to Identity Server to support a specific level of encryption, see Section 20.7, Configuring the SSL Communication.
If you are going to use introductions in your federation configuration, you need to set up the following key pairs:
Identity provider: The test-provider key pair is used when you configure your Identity Server to use introductions with other identity providers and have set up a common domain name for this purpose. It needs to be replaced with a certificate that has a subject name that matches the DNS name of the common domain. For configuration information, see Configuring the General Identity Provider Settings.
Identity consumer: The test-consumer key pair is used when you configure your Identity Server to use introductions with other service providers and have set up a common domain name for this purpose. It needs to be replaced with a certificate that has a subject name that matches the DNS name of the common domain. For configuration information, see Configuring the General Identity Consumer Settings.
To enable secure communication between the user store and Identity Server, you can also import the trusted root certificate of the user store. For configuration information, see Section 2.2, Configuring Identity User Stores.
This section describes the following tasks: