...
use-case: Signing and validation of the configuration files
configured in these applications:
Identity Manager Admin
Identity Manager Operator
certificate requirements:
if key usage extension is critical, then digitalSignature is required
issuing certificate has to be installed in the Identity Manager trust-store
certificate must not be self-signed
storage: pkcs12, HSM (recommended)
versioning: possible, but unnecessary (It is sufficient that the certificate that signed the old configs is trusted via the IDM truststore)
supported digest value: (selecting SHA-38 384 or SHA-512 only affects MANIFEST.MF, other parts use SHA-256 always)
SHA-256
general requirements:
placeholder allowed only if config ZIP signing and verification is disabled
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
if key usage extension is critical, then digitalSignature is required
issuing CA cert must be in IDM truststore
must not be self-signed!
validity considerations:
if expired download is blocked unless ZIP signing is disabled
if expired config upload will fail with the message "Verification failed. The certificate has expired."
issues if not configured as above:
export is blocked unless unless ZIP signing is disabled
verification does not work, ZIP appears unsigned
...