In an opened KeyStore window, select a key pair entry and invoke the
contextual menu (usually by clicking the right mouse button). In this menu
Import CA Reply .
The CA Reply can be chosen from a file chooser.
Importing the CA Reply will replace your self-signed certificate
with a certificate chain. This chain will be either the one returned by
the CA in response to your request (if the CA reply is a chain) or one
constructed (if the CA reply is a single certificate) by establishing a
Trust Path using the CA Reply certificate and the trusted certificates
available in the given TrustStores (which can be set from
Options > Trust Path Options). It can also be a single
certificate which is signed by a signing authority, if the Trust Path
could not be established but the user accepts the import.
The process of importing a CA Reply is more detailed and implies a series of validations and steps for establishing trust or constructing the chain from the CA Reply if it is a single certificate. There are two types of validations performed: one type which is critical and stops the validation process if it fails (if the CA Reply contains a chain and the chain is not valid, or other errors occur durring the validation and import process), and one type which will inform the user that the CA Reply chain is not trusted or that a Trust Path could not be established for the given CA Reply (if it is a single certificate) and lets the user choose if the import process should continue or not by displaying the details of the top certificate of the CA Reply.
The chain of certificates representing the received CA Reply is considered to be valid if the signature of each certificate is verified by the public key of the certificate on the next higher level in the chain. Also, for the import process to be able to be performed, it is necessary that the chain of the CA Reply to correspond to the entry for which the import is being made. This means that the public key of the first certificate in the chain to be equal to the public key of the self-signed certificate which it should replace in the Key Pair selected for performing the import.
A CA Reply (either containing a certificate chain or a single certificate) has to be trusted. The received chain is considered to be trusted if the top certificate is trusted, which means, to be present in the TrustStores set by the user. Also, a CA Reply containing a single certificate is considered to be trusted if a Trust Path can be established for it using the trusted certificates in the TrustStores set by the user.
A screenshot for importing a CA Reply is depicted below:
The steps and validations for importing a CA Reply and the order in which they are performed in CERTivity® are as following:
First, if the CA Reply contains a chain, the chain is verified to not contain any loops. If any loop is detected you will be informed by a warning message that the CA Reply contains a loop and you will be asked to decide if the import operation should continue or not. If this loop is not a mutual trust loop, we advise you not to import the CA Reply;
Then, the CA Reply is verified to belong to the entry for which it should be imported. This means that the public key of the first certificate from the chain is tested to be equal to the public key of the certificate from the Key Pair for which the import attempt is performed. If the CA Reply does not belong to this entry, the import process will stop and you will be informed by an error message that the CA Reply does not belong to that entry.
The error message will contain the information "
public key of the CA Reply does not match the public key of the key
pair entry", as it can be seen in the screenshot
If the CA Reply contains only a single certificate, a valid
trusted certificate chain (a Trust Path) is attempted to be
established using the certificates present in the available
TrustStores (set from
Tools > Options > Trust Path
Options). If this is not possible, the certificate from the
CA Reply will be displayed and you will be prompted to take a
decision if the CA Reply should be trusted and imported as it is or
If the CA Reply contains a chain of certificates, the chain is sorted to have the root certificate last and the user certificate first (if this is not already sorted in this way); The chain is then verified for validity which means that for each certificate is checked that its signature is verified by the public key of the certificate at the next higher level in the chain and that its issuer is equal to the subject of the higher level certificate; if the chain is not valid, the import process will stop and you will be informed by an error message that the CA Reply does not contain a valid certificate chain;
If the chain is valid, then the top certificate of the chain
is verified if it is trusted by searching it in the the available
TrustStores (set from
Tools > Options > Trust Path
Options). If it is, then the CA Reply is imported. Else, the
top certificate of the chain will be displayed and you will be
prompted to take a decision if the CA Reply should be trusted and
imported or not;
For example, if the top certificate of a CA Reply is not found within any of the available TrustStores, the following message will be displayed:
If "No" is selected or the dialog is closed, the import operation will be aborted.
If "Yes" is selected, the certificate will be displayed in a dialog with the options "Accept Import" to continue the import, or "Cancel Import" to abort the operation which can be seen in Certificate Trust Established by User.
A CA Reply file can be obtained by sending a CSR (Certificate Signing Request) to a Certificate Authority, which will sign it and send back a CA Reply file (usually a file of the type PKCS#7 CA Reply File, having the extension .p7r). Creating a CSR file can be done using CERTivity® as it is described in the section Generate CSR File.
The CA Reply can also be obtained using CERTivity® to sign the CSR file, by performing the following steps:
Select a Key Pair entry, and generate a CSR file (as described in the section Generate CSR file). A CSR file will be obtained;
Sign the CSR file obtained at the previous step. The process for signing CSR files is explained in the section Signing CSR Files. The resulting file will be the actual CA Reply file which can then be imported for the Key Pair for which the CSR file was generated;
Import the CA Reply for the corresponding Key Pair entry.