Import CA Reply

In an opened KeyStore window, select a key pair entry and invoke the contextual menu (usually by clicking the right mouse button). In this menu select Import CA Reply . The CA Reply can be chosen from a file chooser.

Importing the CA Reply will replace your self-signed certificate with a certificate chain. This chain will be either the one returned by the CA in response to your request (if the CA reply is a chain) or one constructed (if the CA reply is a single certificate) by establishing a Trust Path using the CA Reply certificate and the trusted certificates available in the given TrustStores (which can be set from Tools > Options > Trust Path Options). It can also be a single certificate which is signed by a signing authority, if the Trust Path could not be established but the user accepts the import.

The process of importing a CA Reply is more detailed and implies a series of validations and steps for establishing trust or constructing the chain from the CA Reply if it is a single certificate. There are two types of validations performed: one type which is critical and stops the validation process if it fails (if the CA Reply contains a chain and the chain is not valid, or other errors occur durring the validation and import process), and one type which will inform the user that the CA Reply chain is not trusted or that a Trust Path could not be established for the given CA Reply (if it is a single certificate) and lets the user choose if the import process should continue or not by displaying the details of the top certificate of the CA Reply.

The chain of certificates representing the received CA Reply is considered to be valid if the signature of each certificate is verified by the public key of the certificate on the next higher level in the chain. Also, for the import process to be able to be performed, it is necessary that the chain of the CA Reply to correspond to the entry for which the import is being made. This means that the public key of the first certificate in the chain to be equal to the public key of the self-signed certificate which it should replace in the Key Pair selected for performing the import.

A CA Reply (either containing a certificate chain or a single certificate) has to be trusted. The received chain is considered to be trusted if the top certificate is trusted, which means, to be present in the TrustStores set by the user. Also, a CA Reply containing a single certificate is considered to be trusted if a Trust Path can be established for it using the trusted certificates in the TrustStores set by the user.

A screenshot for importing a CA Reply is depicted below:

The steps and validations for importing a CA Reply and the order in which they are performed in CERTivity® are as following:

A CA Reply file can be obtained by sending a CSR (Certificate Signing Request) to a Certificate Authority, which will sign it and send back a CA Reply file (usually a file of the type PKCS#7 CA Reply File, having the extension .p7r). Creating a CSR file can be done using CERTivity® as it is described in the section Generate CSR File.

The CA Reply can also be obtained using CERTivity® to sign the CSR file, by performing the following steps: