Certificates keys and public key infrastructure
Key material is used for various tasks in nevisAuth:
- Data signing (e.g., identity token signing)
- Data encryption (e.g., SAML response encryption)
- Transport security (SSL/TLS) in the front end (server)
- Transport security (SSL/TLS) in the back end (e.g., LDAPS or HTTPS connections)
- Certificate validation (expiration checking, trust validation, revocation checking)
Key material can be stored in the filesystem, on an HTTP webserver, on LDAP or on a hardware security module (HSM). Certificates stored on the file system, on an HTTP server or on LDAP will be frequently updated if not specified otherwise. It is also possible to use resource pools instead of directly configuring the path or URL to the resources. This enables failover or load balancing functionality.