Creating and maintaining digital certificates

Digital certificates are used for identifying either end of an SSL connection and contain information required to establish trust.

A digital certificate is a digitally signed data structure that binds a public key to the identity of the private key's owner. The use of digital certificates ensures that the user of a public key can be confident of the ownership of the corresponding private key. If you intend using SSL, you must always configure server authentication.

Server authentication tasks (mandatory for SSL)

1. Create a CA certificate on your Server which is self signed, or send a certificate request to an external CA and have it signed by them.
2. Generate a personal certificate on the Server and sign it with your CA certificate.
3. Export the personal certificate to a file on your Server.
4. Transfer the file to your Client.
5. Create a keystore/key ring on your Client and import the server personal certificate from the file into it.

Client authentication tasks (optional for SSL)

1. Create a CA certificate on your Client which is self signed, or send a certificate request to an external CA and have it signed by them.
2. Generate a personal certificate on the Client and sign it with your CA certificate.
3. Export the personal certificate to a file on your Client.
4. Transfer the file to your Server.
5. Import the Server personal certificate to the client's RACF key ring or keystore.

Tools for working with digital certificates

Use these tools to work with digital certificates in different scenarios:

• Use keytool for software encryption, if the key ring is stored in zFS
• Use hwkeytool for hardware encryption, if the key ring is stored in zFS
• You can also use RACF for creating and maintaining certificates and key rings