Certificates require key settings that define the type of security to implement at your site, including authentication, non-repudiation, data integrity, and data confidentiality, as described in Security Concepts. Although the security application that you use to create a digital certificate may use different terms to describe these security concepts (for example, digital signature, key encipherment, data encipherment, and non-repudiation), both self-signed certificates and certificate requests sent to a certificate authority must designate all these key usage items to ensure that Connect:Direct® Secure Plus can use the certificates to perform the intended security functions.
You can use the following methods to obtain an X.509 version 3 server certificate:
- Your registration authority can contract with a formal certificate authority (CA) to obtain a server certificate. When you obtain the server certificate, you then import this certificate into the IBM System SSL toolkit key database or key ring.
- Your registration authority can create a self-signed private and public key using one of the system security applications described in Terminology and Security Applications for SSL and TLS Certificates.
- Using one of the system security applications described in Terminology and Security Applications for SSL and TLS Certificates, your registration authority can generate a certificate signing request (CSR) for submission to third-party Certificate Authority to obtain a CA-signed public key. You forward this certificate to a certificate authority to be signed. When you receive the signed certificate, you import this certificate into the IBM System SSL key database or key ring. Refer to the IBM documentation IBM Cryptographic Services System Secure Sockets Layer Programming Guide and Reference for details.