Certificate File Layout

The TLS security protocols use a secure server RSA X.509V3 certificate to authenticate your site to any client that accesses the server and provides a way for the client to initiate a secure session. When you obtain a certificate from a certificate authority or create a self-signed certificate, it is stored in a key store.

When you obtain a key certificate from a certificate authority, you have to add it to a local key store file. To configure Connect:Direct® Secure Plus, you have to import a key certificate from the key store. Add the certificate label and common name to the node record using the Secure Plus Admin Tool.

Use the IBM Key Management tool to add or delete certificate information in the key store. In simple configurations, only one key store is used, but the key store can contain multiple key certificates. The key store might also contain multiple trusted root and intermediate certificates. Each certificate has a unique label to differentiate them from one another. In more sophisticated configurations, you can associate individual key certificate labels with one or more node records.

When you use a certificate signing request (CSR) tool, such as iKeyman, you do not need to change the contents of the key certificate. This is created for you by iKeyman.

Certificate Format

A certificate is encoded as a general object with the identifier string CERTIFICATE or X.509 CERTIFICATE. The base64 data encodes a Bit Error Rate (BER)-encoded X.509 certificate. This is the same format used for PEM. Anyone who provides or understands PEM-format certificates can accommodate the certificate format. For example, VeriSign commonly fulfills certificate requests with certificates in this format, SSLeay supports them, and SSL servers understand them. Most browsers support this format for importing root CA certificates.