XKMS Response Signing key(s) are required in order for the XKMS Service to sign the responses it sends back to the client applications. Also, XKMS Request Signing key(s) may be required if signed requests are forwarded to peer XKMS servers for revocation checking of certificates issued by non-registered CAs. In both cases, ADSS Key Manager is used to generate the required keys on ADSS Server.

ADSS Server Key Manager can generate new keys or alternatively import keys that were generated externally by using the Import Key button. Note that imported keys must be in a PKCS#12/PFX format. See section Generating New Keys and Importing Keys to find out more about generating/importing keys in Key Manager. When generating a key for XKMS response signing then select the purpose as “XKMS Response Signing ”  and for the request signing select “XKMS Request Signing”. Keys already existing within an HSM can also be used by ADSS Server; see the Key Manager chapter on how to configure an HSM Crypto Source.  

Once the key pair is generated, the public key needs to be certified either by creating a Self Signed Certificates and/or Delegated Certificates. Typically an XKMS Server acts as a trust anchor so self-signed certificates are preferred, however this choice depends on the trust model.


See also

Step 2 - Registering CAs
Step 3 - Configure CRL Monitor

Step 4 - Configuring XKMS Profile
Step 5 - Registering Business Applications
Step 6 - Using the Service Manager