XML Keystores lets you manage and store sets of keys and certificates for the XML Encrypt, XML Decrypt, XML Sign, XML Signature Verify, Key Encryption, Key Decryption, Key Signature and Key Signature Verify nodes.
The supported format is PEM, and it is possible to add private keys (generally with the .key extension), public keys (.pem or .pub), and certificates (.crt, .pem, etc.) including certificates from Certificate Authorities.
Creating a store
To create a store, click the Options button at the right of the drop-down list and click Add. Give the store a name, then click OK.
Store can be renamed or deleted using Modify or Remove, respectively, under the Options button.
Inserting a Keystore element
The following combinations can be created:
- a private key alone,
- a public key alone,
- a certificate (containing a public key) alone,
- a private key + its certificate,
- a certificate from a Certificate Authority.
XML nodes and keystore:
The encrypting nodes XML Encrypt and Key Encryption use a public key or a certificate independently to encrypt data.
The decryption nodes XML Decrypt and Key Decryption generally use a private key to decrypt data.
The signing nodes XML Sign and Key Signature use a private key to sign data.
The signature verification nodes XML Signature Verify and Key Signature Verify use, independently, a public key, the certificate (corresponding to the private key used to sign the data) or the certificate from a Certificate Authority to verify the signing of data.
To insert an element, click the Add button. The button is active if and only if a store is selected.
- Name: The unique identifier of the element.
This identifier must not be set at random because it enables the XML Decrypt node to retrieve the right private key when a Keystore containing several keys is used. This string is sent in the XML in the //KeyInfo/KeyName XML attribute. It’s important to know this identifier in order to set the same value of the parameter.
The XML Encrypt node shows this identifier in the encrypted XML, in the //KeyInfo/KeyName XML attribute.
When no private key corresponds, the XML Decrypt node attempts to decrypt the XML message with the first private key in the Keystore.
- Private or public key: A file containing a private key or a public key. This parameter is optional if the Certificate file is indicated (therefore at least one of the two is required).
- Private key password: The password for decrypting the private key. Necessary only if the key is password-protected.
- Certificate: The file containing the certificate associated with the key. This parameter is optional if the Private or public key file is indicated (therefore at least one of the two is required).
This file is necessary for certain parameters of the XML Sign
node (Provide X509 Certificate and Provide key value), in addition to the private key.
- Trust Forced: If the box is checked the certificate will be considered as coming from a trusted source. This option is used by the XML Signature Verify node and avoids having to insert the entire certification string (or, for example, to restrict signature verifications to supplied certificates only).
Once uploaded, an element of the XML Keystore can no longer be modified. In particular, adding a public certificate corresponding to a private key must be done at the same time. If not, the key pair will have to be uploaded again.