Manage PGP certificates

PGP certificates must be associated with every community and partner engaged in secure trading via PGP. The following topics cover PGP certificate management.

Related topics

Add a PGP certificate for a community

Use this procedure to add a PGP certificate and associate it with a community. A community needs at least one PGP certificate to exchange messages with partners using PGP for encrypting and signing messages.

When you add a community, you have the option of adding a certificate for the community. This option is for X.509 certificates only. You can associate a PGP certificate with an existing community following this procedure.

Create or add a PGP

  1. Click Certificates on the navigation graphic on the community summary page to display the certificates page. Click the task Add a PGP certificate near the bottom of the page to launch the PGP certificate wizard.
  2. Select an option and click Next:
    • Create a PGP certificate. Select this to have Activator generate a self-signed PGP certificate. Go to step 3.
    • Import a PGP secret keyring. Select this to have Activator import a PGP certificate that has been generated by an external, third-party PGP tool. Go to step 4.

Generate self-signed PGP certificate

  1. If you selected Create a PGP certificate in step 2, complete the fields and click Finish. You can accept the default values or choose your own.
  2. Typing a name for the certificate is optional. It does not matter whether you select RSA or DSA as the algorithm key type. But DSA keys take longer to generate.
  3. The following are the available encryption key lengths:
  4. 512

    Normal encryption

    1024

    Strong encryption. 1024 or higher is recommended for high-value EDI transactions

    2048

    Very strong encryption

    3072

    Very strong encryption

    4096

    Very strong encryption

  5. For the validity period, to modify the default value of 2 years, type the length of time you want the certificate to be valid in the validity period field. Select days, months or years from the drop-down list.

Import a PGP secret keyring from a file

  1. If you selected Import a PGP secret keyring in step 2, complete the fields and click Finish.
  2. Click Browse to select a private keyring file. File extensions of keyring files vary depending on the external PGP tool used to generate them. Examples for private keyrings are GPG and SKR.
  3. Type the passphrase that protects the private keyring. If there are multiple keys in the keyring, all must use the same passphrase.

Select default PGP certificate

  1. Make sure the community has a default PGP certificate. If a community has only one PGP certificate, Activator makes it the default. But if a community has two or more, you can pick one as the default for signing and encrypting messages. The following are the steps:
    1. Click Certificates on the navigation graphic on the community summary page to display the certificates page.
    2. Select the PGP personal certificates tab.
    3. Select a PGP certificate from the drop-down list and click Save changes to make it the default.

Related topic

Export a community PGP certificate

Use this procedure to export a community PGP certificate and its key to a file. You must do this if your partner uses an interoperable gateway other than Activator.

If your partner uses Activator, skip this procedure. PGP certificates are included when a community profile is exported as a partner profile. Exchanging profiles is typical when both parties in a trading relationship use Activator.

  1. Click Certificates on the navigation graphic on the community summary page to display the certificates page.
  2. Select the PGP personal certificates tab.
  3. Click the key ID of a certificate to open its details page.
  4. Click the task Export this certificate near the bottom of the page.
  5. Select one of the following:
    • PGP public key. This option is recommended and enables you to provide a secure public key to your partner.
    • Complete PGP key.
    • Caution: Select this option only if you must export your private key and understand the security risk. Ensure you provide and confirm a password.
  6. If you want to export the certificate in binary format, clear the Export output in an encoded ASCII format (ASCII-armored) check box.
  7. Click Export and select the location where you want to save the file.
  8. Give the file to your trading partner. If you send the file by email, use WinZip or another compression tool to compress the file before sending. This is to protect the file integrity.

Import a PGP certificate for a partner

Use this procedure to import a PGP certificate and its public key for a partner profile. You must do this if your partner uses an interoperable gateway other than Activator.

If your partner uses Activator, skip this procedure. PGP certificates are included when a community profile is exported as a partner profile. Exchanging profiles is typical when both parties in a trading relationship use Activator.

This procedure presumes you previously added a partner for the partner and only must import the partner’s certificate.

  1. Get from your partner the file containing your partner’s PGP certificate and public key. Put the file in an accessible directory on your system.
  2. Click Certificates on the navigation graphic on the partner summary page to display the certificates page.
  3. Click the task Add a PGP certificate near the bottom of the page to launch the import wizard.
  4. Click Next.
  5. Click Browse, select a public key file with an extension of ASC and click Finish to import it.
  6. Make sure the partner has a default PGP certificate. If a partner has only one PGP certificate, Activator makes it the default. But if a partner has two or more, you can pick one as the default for encrypting messages. The following are the steps:
    1. Click Certificates on the navigation graphic on the partner summary page to display the certificates page.
    2. Select the PGP certificates tab.
    3. Select a PGP certificate from the drop-down list and click Save changes to make it the default.

PGP certificate field descriptions

You can open a page to view details of PGP certificates used by communities and partners.

For a community, use the PGP personal certificates tab to view or change the default PGP certificate. You also can add or delete PGP certificates and view details about the certificates.

For a partner, details about PGP certificates can be viewed on the PGP certificates tab.

You cannot use the certificates page at System management > Manage certificates to search for PGP certificates. That page only is for X.509 certificates.

To display the PGP certificates tab:

  • Click Certificates on the navigation graphic at the top of a community or partner summary page.
  • If a community, select the PGP personal certificates tab. If a partner, select the PGP certificates tab.
  • Click the key ID of a certificate to open its details page.

The following describes the fields on the details page for a PGP certificate.

General tab

  • Name – A name for the certificate. This can be any name you want.
  • User name – The name of the person or entity owning the certificate. For a self-signed certificate generated by Activator, the name defaults to the community name and the e-mail address of the community contact.
  • Key ID – The identification of the master key. This key also is known as the signing key.
  • Fingerprint – Fingerprints are a way to verify the source of a certificate. After you import or export a certificate, you can contact your partner and ensure the fingerprints at both ends are identical. Do this before attempting to exchange documents. If the fingerprints do not match, one of the certificates might be corrupted or out of date.
  • Key Algorithm – The algorithm used to generate the certificate.
  • Key Length – Key length indicates encryption strength. The larger the number the stronger the key.
  • Created – The date the certificate was generated.
  • Expires – The date the certificate expires. Some PGP certificates do not have expiration dates.

Subkeys tab

This tab displays all keys within a certificate. If it is a self-signed certificate generated by Activator, the first key in the list is the master key and the second is the encryption key. Imported certificates may have many subkeys, some of which may be expired or revoked. This provides a view of the certificate’s key history.

Signatures tab

This tab displays all entities that have signed a certificate. A signer indicates a level of trust ranging from low to high. For example, a self-signed certificate is by default signed by the community that generated the certificate within Activator. The community gives the certificate a positive level, which is a high level of trust.

Related topics

Related Links