Identity Server uses the key pairs (NAM-RP-Certificate) associated with the NAM-RP Reverse Proxy Service (Access Manager > Devices > Access Gateway > [AG-Cluster] > NAM-RP) for secure communication. In a production environment, you should exchange the NAM-RP-Certificate that is created at the installation time with certificate from a trusted certificate authority.
Identity Server uses the key pair for following scenarios:
To establish SSL communication between Identity Server and the browsers and between Identity Server and Access Gateway for back-channel communications.
To sign authentication requests, to sign communication with providers on the SOAP back channel, and to sign Web Service Provider profiles.
To encrypt specific fields or data in the assertions. For more information about the services that use the certificate for encryption, see Section 12.4.2, Viewing Services That Use the Encryption
To enable secure communication between the user store and Identity Server, you can also import the trusted root certificate of the user store. For configuration information, see Section 2.2, Configuring Identity User Stores.
This section describes the following tasks: