Digital Certificate Management

On this page:

Digital Certificate Management provides you with a central location from which to manage digital certificates. A digital certificate is an attachment to an electronic message used for security purposes. The attachment, which contains a public key and a variety of other identification information, is used to encrypt and decrypt messages to protect them against third party tampering.

PowerSchool Certificates

PowerSchool uses two digital certificates to secure communication with your PowerSchool server. This includes the server certificate used to enable SSL and possibly the client certificate used to access secure web services on other systems.

The PowerSchool server certificate is stored in the keystore. The keystore is a repository where public/private key pairs are stored. The X.509 client certificate may also be stored here if it was issued with a private decryption key. Otherwise, it is stored in the truststore.

Note: For example, Verisign issues a server certificate that also serves as a X.509 client certificate. It contains three parts: the public encryption key, the private decryption key, and the X.509 client certificate. Because the client certificate was issued with a private key, it would be stored in the keystore. StartSSL.com and other providers offer free or low-cost X.509 client certificates that are primarily used to sign emails. These certificates are stand-alone and rely on the root certificate for the Certificate Authority to be trusted. Therefore, they would be stored in the truststore. For more information, see External Server Certificates.

Import a PowerSchool Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings. 
3. Click Digital Certificate Management. 
4. Select the Key Store tab, if needed.

5. Use the following table to enter information in the Import Digital Certificate fields:

   Field	Description
   Select an Option	Do one of the following: Choose I have a public and private key pair from the pop-up menu if you have your public key in one file and your private key in another file. Choose I have one file and a password from the pop-up menu if you have your private key and certificate authority (CA) signed certificate (such as Verisign, Start SSL) in the same file and the private key is password protected. Choose I have one file and no password from the pop-up menu if you have your private key and CA signed certificate in the same file and the private key is not password protected. Choose I have two files and a password from the pop-up menu if you have your private key in one file and CA signed certificate in another file and the private key is password protected. Choose I have two files and no password from the pop-up menu if you have your private key in one file and CA signed certificate in another file and the private key is not password protected. Choose I would like to create and import a self-assigned certificate from the pop-up menu if you want to create a private key and self signed certificate. This option is used for test purposes. For example, you may want to test SSL or SAML communication between PowerSchool and NTC servers before setting up a production server. Note: How do I know if my private key is password protected or not? If you generated the private key yourself using a command line tool, such as keytool, openssl, CertReq.exe, etc., or CA provided tool, such as Verisign, then you already know if the private key is password protected or not. If the private key was given to you by another person, such as from your IT department, that person should indicate if the private key is password protected or not and if it is, what the password is. Note: Once you select an option, the appropriate fields display.
   Certificate Name	Enter a name for the PowerSchool certificate to be used in lists. Note: Do not use [System] in the name, as it is reserved by PowerSchool. If [System] is entered, the following message appears, "Certificate name cannot start with [System]". Note: This field only appears if applicable to the selected option.
   File 1	Click Choose File and select a certificate. Note: This field only appears if applicable to the selected option.
   File 2	Click Choose File and select a certificate. Note: This field only appears if applicable to the selected option.
   Key Pair Name	Enter a name for the PowerSchool key pair to be used in lists. Note: This field only appears if applicable to the selected option.
   Password	Enter your password. Note: This field only appears if applicable to the selected option.
   Public Key	Click Choose File and select the file that contains a valid public key. Note: This field only appears if applicable to the selected option.
   Private Key	Click Choose File and select the file that contains a valid private key. Note: This field only appears if applicable to the selected option.

6. Click Import.
7. Repeat Step 6 and Step 7 for each PowerSchool certificate you want to import. The imported PowerSchool certificate or key pair appears in the List of Certificates with Private Key section.
   Note: If a key pair was imported, the key pair appears below the certificates in alphabetical order as [keys] [name].

View a PowerSchool Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings. 
3. Click Digital Certificate Management. 

4. Select the Key Store tab, if needed. The List of Certificates with Private Key section displays the following information:

   Field	Description
   [Status]	The status/validity of the certificate or key pair: Checkmark indicates the certificate is valid. Exclamation mark indicates the certificate will expire in next 30 days. Double exclamation mark indicates the certificate is invalid.
   Certificate Names	The name of the certificate or key pair.
   Actions	Actions that can be taken for the certificate or key pair.

5. Click View next to the name of the PowerSchool certificate or key pair you want to view.

Export a PowerSchool Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings. 
3. Click Digital Certificate Management. 
4. Select the Key Store tab, if needed.
5. In the List of Certificates with Private Key section, click Export next to the name of the PowerSchool certificate or key pair you want to export. The PowerSchool certificate is then saved to your Downloads folder.

Delete a PowerSchool Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings.
3. Click Digital Certificate Management. 
4. Select the Key Store tab, if needed.
5. In the List of Certificates with Private Key section, click Delete next to the name of the PowerSchool certificate or key pair you want to remove. 
6. Click Yes. 

External Server Certificates

External server certificates are the digital certificates of servers that you want your PowerSchool server to trust and be able to communicate with.

External server certificates are stored in the Trust Store. The Trust Store is a repository where the public certificates of servers that are trusted within the application are stored. These certificates are never used to decrypt data and thus have no need for a private key. These certificates can be the public portion of the server certificate from an external server, or a client X.509 certificate.

Import an External Server Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings.
3. Click Digital Certificate Management.
4. Select the User Trust Store tab for non-synced, user certificates.

5. Use the following table to enter information in the Import Digital Certificate fields:

   Field	Description
   Certificate Name	Enter a name for the external server certificate to be used in lists. Note: Do not use [System] in the name, as it is reserved by PowerSchool. If [System] is entered, the following message appears, "Certificate name cannot start with [System]".
   Certificate	Click Choose File and select a certificate. Note: If using Firefox or Internet Explorer, Click Browse and select a certificate.

6. Click Import. 

View an External Server Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings.
3. Click Digital Certificate Management. 
4. Do one of the following:
   
   • Select the User Trust Store tab for non-synced, user certificates.
   • Select the System Trust Store tab for synced, system certificates.

   The List of Certificates without Private Key section displays the following information:

   Field	Description
   [Status]	The status/validity of the certificate: Checkmark indicates the certificate is valid. Exclamation mark indicates the certificate will expire in next 30 days. Double exclamation mark indicates the certificate is invalid.
   Certificate Name	The name of the certificate.
   Actions	Actions that can be taken for the certificate.

5. Click View next to the name of certificate you want to view. 

Export an External Server Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings.
3. Click Digital Certificate Management. 
4. Do one of the following:
   • Select the User Trust Store tab for non-synced, user certificates.
   • Select the System Trust Store tab for synced, system certificates.
5. In the List of Certificates without Private Key section, click Export next to the name of the certificate you want to export. The certificate is then saved to your Downloads folder.

Delete an External Server Certificate

1. On the start page, choose System under Setup in the main menu. 
2. Under Server, click System Settings. 
3. Click Digital Certificate Management. 
4. Do one of the following:
   • Select the User Trust Store tab for non-synced, user certificates.
   • Select the System Trust Store tab for synced, system certificates.
5. In the List of Certificates without Private Key section, click Delete next to the name of the certificate you want to remove. 
6. Click Yes.