Digital
certificates are required for use with Digital Signatures. Although
you can configure and manage digital certificates after you install
and configure LiveCycle, obtaining them before you install ensures
that you are ready to use LiveCycle when it is deployed.
Digital certificates are obtained from a Certificate Authority
(CA) and sent to you by email or over the web as a certificate file.
This certificate file contains the public keys (also called certificates)
and references to private keys (also called credentials)
that are used for encrypting and signing documents. Certificates
do not contain actual private keys; instead, they contain a reference
to the identity of the user who keeps the private keys securely
stored in an encrypted file or HSM.
You can use Internet Explorer (Windows) or OpenSSL (AIX, Linux,
and Solaris) to export PFX, P12, and CER files for certificates
that are stored in any compatible certificate store that is available
on your computer. PFX files can be exported only as the certificate
store or the credential itself permits. CER files that hold the public
key that corresponds to a credential can also be exported from PFX
files by using either Internet Explorer or OpenSSL.
Note: You can configure and manage certificates, credentials,
and Certification Revocation Lists (CRLs) for use with LiveCycle
by using Trust Store Management, which is accessible through the
web-based Administration Console. (See
Administration Help.)
The CRL distribution point describes where you can download the
CRL that corresponds to a particular CER or PFX file.
The following file types are supported:
Certificates: DER-encoded X509v3 and base64-encoded certificate
(.cer) files. Certificates that verify the trust.xml file can be
either DER-encoded or base64-encoded.
Credentials: RSA and DSA credentials up to 4096 bits in
standard PKCS12 format (.pfx and .p12 files).
CRLs: Base64-encoded and DER-encoded CRLfiles.
Maintaining the security of private keys (credentials) is critical
to ensuring the stability of sensitive information. A physical storage
device, often called a Hardware Security Module (HSM), typically
provides the maximum level of security for private keys. If you
do not use a physical device, it is important to store highly sensitive
private keys and certificates in encrypted files in a safe place.
Digital Signatures supports the industry-standard PKCS #11 interface
to communicate with HSMs. An HSM vendor can provide the resources
and tools that you need to install and configure an HSM storage
system.
