Assigning a user certificate
You can assign a user certificate that you own to your IBM® i user profile or other user identity. The certificate may be from a private local CA on another system or from a well-known Internet CA. Before you can assign a certificate to a user identity, the issuing CA must be trusted by the server, and the certificate must not already be associated with a user profile or other user identity on the system.
Some users may have certificates from an outside Certificate Authority (CA) or a local CA on a different iSeries system that you, as an administrator, want them to make available to Digital Certificate Manager (DCM). This allows you and the user to use DCM to manage these certificates, which are most often used for client authentication. The Assign a user certificate task provides a mechanism for allowing a user to create a DCM assignment for a certificate obtained from an outside CA.
- Storing the certificate locally on the IBM i with the user's user profile. When an LDAP location is not defined for DCM, the Assign a user certificate task allows a user to assign an outside certificate to an IBM i user profile. Assigning the certificate to a user profile ensures that the certificate can be used with applications on the system that require certificates for client authentication.
- Storing the certificate in a Lightweight Directory Access Protocol (LDAP)
location for use with Enterprise Identity Mapping (EIM). When there is a
defined LDAP location and the IBM i model
is configured to participate in EIM, then the Assign
a user certificate task allows a user to store a copy of an outside
certificate in the specified LDAP directory. DCM also creates a source association
in EIM for the certificate. Storing the certificate in this manner allows
an EIM administrator to recognize the certificate as a valid user identity
that can participate in EIM. Note: Before a user can assign a certificate to a user identity in an EIM configuration, EIM must be configured appropriately for the user. This EIM configuration involves the creation of an EIM identifier for the user and the creation of a target association between that EIM identifier and the user profile. Otherwise, DCM cannot create a corresponding source association with the EIM identifier for the certificate.
To use the Assign a user certificate task, a user must meet the following requirements: