Identity Server uses the following key pairs for secure communication. In a production environment, replace the key pairs created at the installation time with certificates from a trusted certificate authority.
Connector: The test-connector certificate is used when you establish a SSL communication between Identity Server and browsers, and between Identity Server and Access Gateway for back-channel communications. It must be replaced with a certificate that has a subject name matching the DNS name of Identity Server. See Enabling SSL Communication.
Signing: The test-signing (by default) key pair is used by the various protocols to sign authentication requests, to sign communication with providers on the SOAP backchannel, and to sign Web Service Provider profiles. For more information about the services that use the signing certificate, see Access Manager Services That Use the Signing Certificate.
This certificate can be stored in an external HSM keystore. For information about using netHSM to replace and manage this signing certificate, see Using netHSM for the Signing Key Pair.
For more security, you can configure signing and encryption certificate for the service provider. For information, see Configuring Enhanced Security for Service Provider Communications
Data Encryption: The test-encryption (by default) key pair is used to encrypt specific fields or data in the assertions. For more information about the services that use the encryption certificate, see Viewing Services That Use the Encryption Key PairEncryption.
For more security, you can configure signing and encryption certificate for the service provider. For information, see Configuring Enhanced Security for Service Provider Communications.
To force the browser connections to Identity Server to support a specific level of encryption, see Configuring the SSL Communication.
To use introductions in your federation configuration, you need to set up the following key pairs:
Identity provider: The test-provider key pair is used when you configure your Identity Server to use introductions with other identity providers and set up a common domain name for this purpose. It must be replaced with a certificate that has a subject name matching the DNS name of the common domain. For information, see Configuring the General Identity Provider Settings.
Identity consumer: The test-consumer key pair is used when you configure your Identity Server to use introductions with other service providers and set up a common domain name for this purpose. It must be replaced with a certificate that has a subject name matching the DNS name of the common domain. For information, see Configuring the General Identity Consumer Settings.
To enable secure communication between the user store and Identity Server, you can also import the trusted root certificate of the user store. For information, see Configuring Identity User Stores.
This section describes the following tasks: