Managing certificates and credentials

Overview

A credential contains your private key information needed for signing or identifying documents. A certificate is public key information that you configure for trust. AEM forms uses certificates and credentials for several purposes:

Generating a pair key

AEM forms uses its Trust Store to store and manage certificates, credentials, and certificate revocation lists (CRLs). Additionally, you can use an independent Hardware Security Module (HSM) device to store private keys.

AEM forms does not provide any option to generate a key pair. However, you can generate it using tools, such as Java keytool, and import it in AEM forms Trust Store. For more information on Java keytool, see the following:

http://docs.oracle.com/javase/tutorial/security/toolsign/step3.html

http://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html

http://blogs.adobe.com/livecycle/2010/01/creating_ssl_keys_and_certific.html

The following signature types are supported and can be imported in AEM forms:

  • XML signature

  • XMLTimeStampToken

  • RFC 3161 TimeStampToken

  • PKCS#7

  • PKCS#1

  • DSA Signatures

Handling lost or compromised key

If you suspect that your key is lost or has been compromised, take the following actions:

  1. Inform the certifying authority, so that they add the compromised key on the certificate revocation list to revoke the key.

  2. Obtain a new key and its certificates from the certifying authority.

  3. Sign the documents that were signed using the compromised key again using the new key.

Managing local credentials

Local credentials are private key credentials hosted in Trust Store Management. A local credential identifies where a user’s DES credential is stored. Using Trust Store Management, you can import and manage your local credentials by using, for example, existing PFX files so that you can import, edit, and delete local credentials.

AEM forms supports RSA and DSA credentials up to 4096 bits in standard PKCS12 format (.pfx and .p12 files).

You can import and export any number of credentials. If you want to replace an expired credential using the same alias, delete the credential and then import the new credential with the same alias.

For information and instructions related to Acrobat Reader DC extensions, see Configuring credentials for use with Acrobat Reader DC extensions .

Import a credential

  1. In administration console, click Settings >Trust Store Management > Local Credentials.

  2. Click Import. Under Trust Store Type, select one of these options:

    • Document Signing Credential: A credential used to issue a digital signature on a document.

    • Acrobat Reader DC extensions Credential: A digital certificate specific to Acrobat Reader DC extensions that enables Adobe Reader usage rights to be activated in the PDF documents produced.

    • Default: Indicates that this is the default credential to use with Acrobat Reader DC extensions.

    For information about obtaining a credential, see Preparing to Install AEM forms .

  3. In the Alias box, type an identifier for the credential. This identifier is used as the display name for the credential in Acrobat Reader DC extensions and the Signature service. This alias is also used to access the credential programmatically using the AEM forms SDK.

    Note: The alias name is automatically converted to uppercase for display purposes. The alias name is not case-sensitive when you refer to it in a process.
  4. Click Browse to locate the credential, type the password of the credential, and then click OK.

    If the error message "Failed to import credential due to either incorrect file format, or incorrect password" appears, verify that the password is valid.

Export a credential

Credentials are exported as P12 files in PKCS#12 format.

  1. In administration console, click Settings >Trust Store Management > Local Credentials.

  2. Click the alias name of the credential you want to export and then click Export.

  3. In the Password box, type the password. This password is new and is used to encrypt the exported credential.

  4. Click Export, follow the directions to export the credential, and then click OK.

Edit a credential’s alias or trust store type

After a credential is imported, you can edit its alias name and trust store type.

  1. In administration console, click Settings >Trust Store Management > Local Credentials.

  2. Click the alias name of the credential you want to edit.

  3. Click Update Credential.

  4. Edit the alias name and trust store type as required and click OK.

Delete a credential

  1. In administration console, click Settings >Trust Store Management > Local Credentials.

  2. Select the check boxes for the credentials to delete.

  3. Click Delete and then click OK.

Managing HSM credentials

From the Trust Store Management page, you can manage Hardware Security Module (HSM) credentials. An HSM is a third-party PKCS#11 device that you can use to securely generate and store private keys. The HSM physically protects the access to and use of the private keys.

The client software is required to communicate with the HSM. The HSM client software must be installed and configured on the same computer as AEM forms.

AEM forms Digital Signatures can use credentials stored on an HSM to apply server-side digital signatures. Follow the instructions in this section to create an alias for each HSM credential that Digital Signatures will use. The alias contains all of the parameters required by the HSM.

Note: After changing your HSM configuration, restart the AEM forms server.

Create an alias for an HSM credential when the HSM device is online

  1. In administration console, click Settings >Trust Store Management > HSM Credentials and then click Add.

  2. In the Profile Name box, type a string used to identify the alias. This value is used as a property to some Digital Signatures operations, such as the Sign Signature Field operation.

  3. In the PKCS11 Library box, type the fully qualified path of your HSM client library on the server. For example, c:\Program Files\LunaSA\cryptoki.dll . In a clustered environment, this path must be identical for all servers in the cluster.

  4. Click Test HSM Connectivity. If AEM forms is able to connect to the HSM device, a message displays, stating that the HSM is available. Click Next.

  5. Use either the Token Name, Slot ID, or Slot List Index to identify where the credentials are stored on the HSM.

    • Token Name: Corresponds to the name of the HSM partition to be used (for example, HSMPART1).

    • Slot Id: The Slot ID is a slot identifier of type data type long.

    • Slot List Index: If you select Slot List Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, HSMPART1 will be referred to using SlotListIndex value 0.

  6. In the Token Pin box, type the password required to access the HSM key and click Next.

  7. In the Credentials box, select a credential. Click Save.

Create an alias for an HSM credential when the HSM device is offline

  1. In administration console, click Settings >Trust Store Management > HSM Credentials and then click Add.

  2. In the Profile Name box, type a string used to identify the alias. This value is used as a property to some Digital Signatures operations, such as the Sign Signature Field operation.

  3. In the PKCS11 Library box, type the fully qualified path of your HSM client library on the server. For example, c:\Program Files\LunaSA\cryptoki.dll . In a clustered environment, this path must be identical for all servers in the cluster.

  4. Select the Offline Profile Creation check box. Click Next.

  5. In the HSM Device list, select the manufacturer of the HSM device where the credential is stored.

  6. In the Slot Type list, select Slot Id, Slot Index, or Token Name and specify a value in the Slot Info box. AEM forms uses these settings to determine where the credentials are stored on the HSM.

    • Token Name: Corresponds to a partition name (for example, HSMPART1).

    • Slot Id: The Slot ID is an integer that corresponds to the slot, which in turn corresponds to a partition. For example, the client (forms server) registered with the HSMPART1 partition first. This maps slot 1 to the HSMPART1 partition, for this client. Because HSMPART1 is the first partition registered, the Slot ID is 1 and you would set Slot Info to 1.

      The slot ID is set on a client-by-client basis. If you registered a second machine to a different partition (for example, HSMPART2 on the same HSM device), then slot 1 would be associated with the HSMPART2 partition for that client.

    • Slot Index: If you select Slot Index, set the Slot Info to an integer that corresponds to the slot. This is a 0-based index, which means that if the client is registered with the HSMPART1 partition first, slot 1 is mapped to the HSMPART1 for this client. Because HSMPART1 is the first partition registered, the Slot Index is 0.

  7. Select one of these options and provide the path:

    • Certificate : (Not required if using SHA1) Click Browse and locate the path to the public key for the credential you are using.

    • Certificate SHA1: (Not required if using a physical certificate) Type SHA1 value (thumbprint) of the public key (.cer) file for the credential you are using. Ensure that there are no spaces used in the SHA1 value.

  8. In the Password box, type the password required to access the HSM key for the given slot information, and then click Save.

View HSM credential alias properties

  1. In administration console, click Settings >Trust Store Management > HSM Credentials.

  2. Click the alias name of the credential alias to view the properties and then click OK.

Check the status of an HSM credential

  1. In administration console, click Settings >Trust Store Management > HSM Credentials.

  2. Click the check box next to credential that you want to check and click Check Status.

The Status column reflects the current status of the credential. In case of failure, a red X is displayed in the Status column. Hover your mouse over the X to display a tool tip containing the reason for the failure.

Update HSM credential alias properties

  1. In administration console, click Settings >Trust Store Management > HSM Credentials.

  2. Click the alias name of the credential alias.

  3. Click Update Credential and update the settings as required.

Reset all HSM Connections

Reset the open connections to an HSM device after any disruption to the network session between the forms server and the HSM device. For example, disruptions can happen due to a network outage or the HSM device being taken offline for a software update. After a disruption, the existing connections are stale and any signing requests against those connections fail. Using the Reset All HSM Connections option clears the old connections.

  1. In administration console, click Settings >Trust Store Management > HSM Credentials.

  2. Click Reset All HSM Connections.

Delete an HSM credential alias

  1. In administration console, click Settings >Trust Store Management > HSM Credentials.

  2. Select the check boxes for the HSM credentials you want to delete, click Delete, and then click OK.

Configure remote HSM support

AEM forms uses a Web Services-based IPC/RPC mechanism. This mechanism enables AEM forms to use an HSM installed on a remote computer. To use this functionality, install the web service on the remote computer where the HSM is installed. See Configuring HSM support for AEM forms ES using Sun JDK on Windows 64-bit platform for more information.

This mechanism does not support online creation of HSM profiles or status checks. However, there are two ways to create HSM profiles and perform status checks:

  • Create a AEM forms client credential by passing it the Signer’s Certificate. Follow the steps in Configuring HSM support for AEM forms ES using Sun JDK on Windows 64-bit platform . The web service location is passed in as a Credential property. Offline HSM profiles create using either certificate der or certificate SHA-1 hex is also supported. However, if you have upgraded to AEM forms from an earlier version of AEM forms, make client changes because the credential carried certificate and web service information.

  • Web Service location is specified in the administration console for the Signature service. (See Signature service settings .) Here, the client only carried the alias of the HSM profile in the trust store. You can use this option seamlessly without any client changes, even if you have upgraded to AEM forms from an earlier version of AEM forms. This option does not support HSM profiles using certificate SHA-1.

Adding and removing user name and password credentials

From the Trust Store Management page, you can add and remove user name and password credentials used by the Forms service when it receives a request with SOAP-level security.

Add a user name and password credential

  1. In administration console, click Settings >Trust Store Management > User and Password Credentials and then click Add.

  2. In the Profile Name box, type a name for the credential.

  3. In the User Name box, type a unique user name.

  4. In the Password box, type a password for the user and then click OK.

Delete a user name and password credential

  1. In administration console, click Settings >Trust Store Management > User and Password Credentials.

  2. Select the check boxes for the credentials you want to delete, click Delete, and then click OK.

Managing certificates

Using the Trust Store Management, you can import, edit, and delete certificates that you trust on the server for validation of digital signatures and certificate authentication. You can import and export any number of certificates. After a certificate is imported, you can edit the trust settings and trust store type. Consider the following options when combining trust store types:

  • Trust for Certificate Authentication with CA: For CRL validation, also select Trust for Identity.

  • Trust for Certificate Authentication with ICA: Select only Trust for Identity . An ICA should not be trusted for Certificate Authentication. If you trust the ICA for Certificate Authentication, the ICA becomes a CA for path building. If the ICA is trusted for both Certificate Authentication and Identity, the CA vendor certificate is ignored because the ICA becomes the CA.

  • Trust for OCSP Server with HTTPs: If the OSCP respondent server resides at an HTTPs location, you must also select Trust for SSL Connections. If the OSCP respondent requires CRL validation, ensure that you also select Trust for Identity.

  • Adobe Root: Do not select SSL Connections or OCSP Server Trust Store Types. Adobe Root is not trusted for SSL Connections and OCSP Server. Adobe does not issue OCSP and SSL certificates. Adobe Root is implicitly trusted with an alias name="ADOBEROOT".

Only X509v3 certificates are supported. This certificate type can be supplied in a binary DER-encoded file (.cer file) or a text file that contains a Base64-encoded version of the same DER-encoded certificate (including X509 certificates in Privacy Enhanced Mail (PEM) format).

Certificates required to complete a signature verification must be in the same store (HSM or database).

You can also import and delete certificates using the Trust Manager API. For details, see “Importing certificates using the Trust Manager API” and “Deleting certificates using the Trust Manager API” in Programming with AEM forms .

Import a certificate

  1. In administration console, click Settings >Trust Store Management > Certificates.

  2. Click Import and, under Trust Store Type, select one of these options:

    • Trust for SSL Connections: Specifies that AEM forms can use certificates to connect to external systems over SSL.

    • Trust for Certify Signature: Specifies that certificates are trusted in document signing operations for certifying author digital signatures.

    • Trust for Signature: Specifies that certificates are trusted in document signing operations for non-author digital signatures.

    • Trust for Certificate Authentication: Specifies AEM forms uses certificates for authenticating users using certificate or smart card authentication.

    • Trust for OCSP Server: Specifies that AEM forms can use certificates to connect to external OCSP responders

    • Trust for Identity: Specifies that certificates can be used to trust information other than types specified above.

    Note: The trust store implicitly trusts an Adobe Root Certificate for certificate authentication, signature, certify signature, and identity.
  3. In the Alias box, type the identifier for the certificate.

  4. Click Browse to locate the certificate and then click OK.

Export a certificate

  1. In administration console, click Settings >Trust Store Management > Certificates.

  2. Click the alias name of the certificate to export. The Certificate Details page is displayed.

  3. Click Export, follow the directions to export the certificate, and then click OK.

Edit a certificate’s trust settings and trust store type

  1. In administration console, click Settings >Trust Store Management > Certificates.

  2. Click the alias name of the certificate to edit.

  3. Click Update Certificate.

  4. To change the Alias name of the certificate, type a new name in the Alias box.

  5. To update the trust store type for the certificate, select the appropriate trust store type.

  6. To update the policy restrictions, in the Certificate Policies box, type the policy information, and then click OK.

Delete a certificate

  1. In administration console, click Settings >Trust Store Management > Certificates.

  2. Select the check boxes for the certificates to delete, click Delete, and then click OK.

Managing certificate revocation lists

Using Trust Store Management, you can import, edit, and delete certificate revocation lists (CRLs). Base64 and DER-encoded certificate revocation lists are supported.

Import a CRL

  1. In administration console, click Settings >Trust Store Management > Certificate Revocation Lists, and then click Import.

  2. In the Alias box, type an identifier for the CRL.

  3. Click Browse to locate the CRL and then click OK.

Export a CRL

  1. In administration console, click Settings >Trust Store Management > Certificate Revocation Lists.

  2. Click the alias name of the CRL to export and then click Export.

  3. Follow the directions to export the CRL. CRLs are exported in Base64 encoding.

  4. Click OK.

Delete a CRL

  1. In administration console, click Settings >Trust Store Management > Certificate Revocation Lists.

  2. Select the check boxes for the CRLs to delete, click Delete, and then click OK.

// Ethnio survey code removed