Using a private certificate for signing objects on a target system
You manage the certificates that you use for signing objects from the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage object signing certificates, then this certificate store will not exist on the target system.
The tasks that you must perform to use the transferred certificate store files that you created on the local CA host system vary based on whether the *OBJECTSIGNING certificate store exists. If the *OBJECTSIGNING certificate store does not exist, you can use the transferred certificate files as a means of creating the *OBJECTSIGNING certificate store. If the *OBJECTSIGNING certificate exists on the target system, you must import the transferred certificates into it.
*OBJECTSIGNING certificate store does not exist
The tasks that you perform to use the certificate store files that you created on the local CA host system vary based on whether you have ever used DCM on the target system to manage object signing certificates.
If the *OBJECTSIGNING certificate store does not exist on the target system with the transferred certificate store files, follow these steps:
When you finish these tasks, you have everything that you need to begin signing objects to ensure their integrity.
When you distribute signed objects, those who receive the objects must use DCM to verify the signature on the objects to ensure that the data is unchanged and to verify the identity of the sender. To validate the signature, the receiver must have a copy of the signature verification certificate. You must provide a copy of this certificate as part of the package of signed objects.
The receiver also must have a copy of the CA certificate for the CA that issued the certificate that you used to sign the object. If you signed the objects with a certificate from a well-known Internet CA, the receiver's version of DCM will already have a copy of the necessary CA certificate. However, you must provide a copy of the CA certificate, in a separate package, along with the signed objects if necessary. For example, you must provide a copy of the local CA certificate if you signed the objects with a certificate from a local CA. For security reasons, you must provide the CA certificate in a separate package or publicly make the CA certificate available at the request of those who need it.
*OBJECTSIGNING certificate store exists
You can use the certificates in the transferred certificate store
files in an existing *OBJECTSIGNING certificate store on a system. To do so,
you must import the certificates from the certificate store files into the
existing *OBJECTSIGNING certificate store. However, you cannot import the
certificates directly from the .KDB
and .RDB
files
because they are not in a format that the DCM import function can recognize
and use. You can add the certificates into the existing *OBJECTSIGNING certificate
store by opening the transferred files as an Other System Certificate Store
on the target system. You can then export the certificates directly into the
*OBJECTSIGNING certificate store. You must export a copy of both the object
signing certificate itself and the local CA certificate from the transferred
files.
To export the certificates from the certificate store files directly into the *OBJECTSIGNING certificate store, complete these steps on the target system: