Managing certificates and credentials

1. In administration console, click Settings >Trust Store Management > Local Credentials.

2. Click Import. Under Trust Store Type, select one of these options:

   • Document Signing Credential: A credential used to issue a digital signature on a document.

   • Acrobat Reader DC extensions Credential: A digital certificate specific to Acrobat Reader DC extensions that enables Adobe Reader usage rights to be activated in the PDF documents produced.

   • Default: Indicates that this is the default credential to use with Acrobat Reader DC extensions.

   For information about obtaining a credential, see Preparing to Install AEM forms .

3. In the Alias box, type an identifier for the credential. This identifier is used as the display name for the credential in Acrobat Reader DC extensions and the Signature service. This alias is also used to access the credential programmatically using the AEM forms SDK.

   Note: The alias name is automatically converted to uppercase for display purposes. The alias name is not case-sensitive when you refer to it in a process.

4. Click Browse to locate the credential, type the password of the credential, and then click OK.

   If the error message "Failed to import credential due to either incorrect file format, or incorrect password" appears, verify that the password is valid.

Credentials are exported as P12 files in PKCS#12 format.

1. In administration console, click Settings >Trust Store Management > Local Credentials.

2. Click the alias name of the credential you want to export and then click Export.

3. In the Password box, type the password. This password is new and is used to encrypt the exported credential.

4. Click Export, follow the directions to export the credential, and then click OK.

After a credential is imported, you can edit its alias name and trust store type.

1. In administration console, click Settings >Trust Store Management > Local Credentials.

2. Click the alias name of the credential you want to edit.

3. Click Update Credential.

4. Edit the alias name and trust store type as required and click OK.

1. In administration console, click Settings >Trust Store Management > Local Credentials.

2. Select the check boxes for the credentials to delete.

3. Click Delete and then click OK.

1. In administration console, click Settings >Trust Store Management > HSM Credentials and then click Add.

2. In the Profile Name box, type a string used to identify the alias. This value is used as a property to some Digital Signatures operations, such as the Sign Signature Field operation.

3. In the PKCS11 Library box, type the fully qualified path of your HSM client library on the server. For example, c:\Program Files\LunaSA\cryptoki.dll . In a clustered environment, this path must be identical for all servers in the cluster.

4. Click Test HSM Connectivity. If AEM forms is able to connect to the HSM device, a message displays, stating that the HSM is available. Click Next.

5. Use either the Token Name, Slot ID, or Slot List Index to identify where the credentials are stored on the HSM.

   • Token Name: Corresponds to the name of the HSM partition to be used (for example, HSMPART1).

   • Slot Id: The Slot ID is a slot identifier of type data type long.

   • Slot List Index: If you select Slot List Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, HSMPART1 will be referred to using SlotListIndex value 0.

6. In the Token Pin box, type the password required to access the HSM key and click Next.

7. In the Credentials box, select a credential. Click Save.

1. In administration console, click Settings >Trust Store Management > HSM Credentials and then click Add.

2. In the Profile Name box, type a string used to identify the alias. This value is used as a property to some Digital Signatures operations, such as the Sign Signature Field operation.

3. In the PKCS11 Library box, type the fully qualified path of your HSM client library on the server. For example, c:\Program Files\LunaSA\cryptoki.dll . In a clustered environment, this path must be identical for all servers in the cluster.

4. Select the Offline Profile Creation check box. Click Next.

5. In the HSM Device list, select the manufacturer of the HSM device where the credential is stored.

6. In the Slot Type list, select Slot Id, Slot Index, or Token Name and specify a value in the Slot Info box. AEM forms uses these settings to determine where the credentials are stored on the HSM.

   • Token Name: Corresponds to a partition name (for example, HSMPART1).

   • Slot Id: The Slot ID is an integer that corresponds to the slot, which in turn corresponds to a partition. For example, the client (forms server) registered with the HSMPART1 partition first. This maps slot 1 to the HSMPART1 partition, for this client. Because HSMPART1 is the first partition registered, the Slot ID is 1 and you would set Slot Info to 1.

     The slot ID is set on a client-by-client basis. If you registered a second machine to a different partition (for example, HSMPART2 on the same HSM device), then slot 1 would be associated with the HSMPART2 partition for that client.

   • Slot Index: If you select Slot Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, slot 1 is mapped to the HSMPART1 for this client. Because HSMPART1 is the first partition registered, the Slot Index is 0.

7. Select one of these options and provide the path:

   • Certificate : (Not required if using SHA1) Click Browse and locate the path to the public key for the credential you are using.

   • Certificate SHA1: (Not required if using a physical certificate) Type SHA1 value (thumbprint) of the public key (.cer) file for the credential you are using. Ensure that there are no spaces used in the SHA1 value.

8. In the Password box, type the password required to access the HSM key for the given slot information, and then click Save.

1. In administration console, click Settings >Trust Store Management > HSM Credentials.

2. Click the alias name of the credential alias to view the properties and then click OK.

1. In administration console, click Settings >Trust Store Management > HSM Credentials.

2. Click the check box next to credential that you want to check and click Check Status.

The Status column reflects the current status of the credential. In case of failure, a red X is displayed in the Status column. Hover your mouse over the X to display a tool tip containing the reason for the failure.

1. In administration console, click Settings >Trust Store Management > HSM Credentials.

2. Click the alias name of the credential alias.

3. Click Update Credential and update the settings as required.

Reset the open connections to an HSM device after any disruption to the network session between the forms server and the HSM device. For example, disruptions can happen due to a network outage or the HSM device being taken offline for a software update. After a disruption, the existing connections are stale and any signing requests against those connections fail. Using the Reset All HSM Connections option clears the old connections.

1. In administration console, click Settings >Trust Store Management > HSM Credentials.

2. Click Reset All HSM Connections.

1. In administration console, click Settings >Trust Store Management > HSM Credentials.

2. Select the check boxes for the HSM credentials you want to delete, click Delete, and then click OK.

AEM forms uses a Web Services-based IPC/RPC mechanism. This mechanism enables AEM forms to use an HSM installed on a remote computer. To use this functionality, install the web service on the remote computer where the HSM is installed. See Configuring HSM support for AEM forms ES using Sun JDK on Windows 64-bit platform for more information.

This mechanism does not support online creation of HSM profiles or status checks. However, there are two ways to create HSM profiles and perform status checks:

• Create a AEM forms client credential by passing it the Signer’s Certificate. Follow the steps in Configuring HSM support for AEM forms ES using Sun JDK on Windows 64-bit platform . The web service location is passed in as a Credential property. Offline HSM profiles create using either certificate der or certificate SHA-1 hex is also supported. However, if you have upgraded to AEM forms from an earlier version of AEM forms, make client changes because the credential carried certificate and web service information.

• Web Service location is specified in the administration console for the Signature service. (See Signature service settings .) Here, the client only carried the alias of the HSM profile in the trust store. You can use this option seamlessly without any client changes, even if you have upgraded to AEM forms from an earlier version of AEM forms. This option does not support HSM profiles using certificate SHA-1.

1. In administration console, click Settings >Trust Store Management > User and Password Credentials and then click Add.

2. In the Profile Name box, type a name for the credential.

3. In the User Name box, type a unique user name.

4. In the Password box, type a password for the user and then click OK.

1. In administration console, click Settings >Trust Store Management > User and Password Credentials.

2. Select the check boxes for the credentials you want to delete, click Delete, and then click OK.

1. In administration console, click Settings >Trust Store Management > Certificates.

2. Click Import and, under Trust Store Type, select one of these options:

   • Trust for SSL Connections: Specifies that AEM forms can use certificates to connect to external systems over SSL.

   • Trust for Certify Signature: Specifies that certificates are trusted in document signing operations for certifying author digital signatures.

   • Trust for Signature: Specifies that certificates are trusted in document signing operations for non-author digital signatures.

   • Trust for Certificate Authentication: Specifies AEM forms uses certificates for authenticating users using certificate or smart card authentication.

   • Trust for OCSP Server: Specifies that AEM forms can use certificates to connect to external OCSP responders

   • Trust for Identity: Specifies that certificates can be used to trust information other than types specified above.

   Note: The trust store implicitly trusts an Adobe Root Certificate for certificate authentication, signature, certify signature, and identity.

3. In the Alias box, type the identifier for the certificate.

4. Click Browse to locate the certificate and then click OK.

1. In administration console, click Settings >Trust Store Management > Certificates.

2. Click the alias name of the certificate to export. The Certificate Details page is displayed.

3. Click Export, follow the directions to export the certificate, and then click OK.

1. In administration console, click Settings >Trust Store Management > Certificates.

2. Click the alias name of the certificate to edit.

3. Click Update Certificate.

4. To change the Alias name of the certificate, type a new name in the Alias box.

5. To update the trust store type for the certificate, select the appropriate trust store type.

6. To update the policy restrictions, in the Certificate Policies box, type the policy information, and then click OK.

1. In administration console, click Settings >Trust Store Management > Certificates.

2. Select the check boxes for the certificates to delete, click Delete, and then click OK.

1. In administration console, click Settings >Trust Store Management > Certificate Revocation Lists, and then click Import.

2. In the Alias box, type an identifier for the CRL.

3. Click Browse to locate the CRL and then click OK.

1. In administration console, click Settings >Trust Store Management > Certificate Revocation Lists.

2. Click the alias name of the CRL to export and then click Export.

3. Follow the directions to export the CRL. CRLs are exported in Base64 encoding.

4. Click OK.

1. In administration console, click Settings >Trust Store Management > Certificate Revocation Lists.

2. Select the check boxes for the CRLs to delete, click Delete, and then click OK.