Using a private certificate for signing objects on a target system

You manage the certificates that you use for signing objects from the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage object signing certificates, then this certificate store will not exist on the target system.

The tasks that you must perform to use the transferred certificate store files that you created on the local CA host system vary based on whether the *OBJECTSIGNING certificate store exists. If the *OBJECTSIGNING certificate store does not exist, you can use the transferred certificate files as a means of creating the *OBJECTSIGNING certificate store. If the *OBJECTSIGNING certificate exists on the target system, you must import the transferred certificates into it.

*OBJECTSIGNING certificate store does not exist

The tasks that you perform to use the certificate store files that you created on the local CA host system vary based on whether you have ever used DCM on the target system to manage object signing certificates.

If the *OBJECTSIGNING certificate store does not exist on the target system with the transferred certificate store files, follow these steps:

  1. Make sure that the certificate store files (two files: one with a .KDB extension and one with a .RDB extension) that you created on the system that hosts the local CA are in the /QIBM/USERDATA/ICSS/CERT/SIGNING directory.
  2. Once the transferred certificate files are in the /QIBM/USERDATA/ICSS/CERT/SIGNING directory, rename the certificate files to SGNOBJ.KDB, and SGNOBJ.RDB, if necessary.
    By renaming these files, you create the components that comprise the *OBJECTSIGNING certificate store for the target system. The certificate store files already contain copies of certificates for many public Internet CAs. DCM added these, as well as a copy of the local CA certificate, to the certificate store files when you created them.
    Attention: If your target system already has a SGNOBJ.KDB and a SGNOBJ.RDB file in the /QIBM/USERDATA/ICSS/CERT/SIGNING directory, the *OBJECTSIGNING certificate store currently exists on this target system. Consequently, you must not rename the transferred files as suggested. Overwriting the default object signing files will create problems for using DCM, the transferred certificate store, and its contents. When the *OBJECTSIGNING certificate store already exists, you must use a different process to get the certificates into the existing certificate store.
  3. Start DCM.
    You must now change the password for the *OBJECTSIGNING certificate store. Changing the password allows DCM to store the new password so that you can use all DCM certificate management functions on the certificate store.
  4. In the navigation frame, click Select a Certificate Store and select *OBJECTSIGNING as the certificate store to open.
  5. When the password page displays, provide the password that you specified for the certificate store when you created it on the host system and click Continue.
  6. In the navigation frame, select Manage Certificate Store and select Change password from the list of tasks.
    Complete the form to change the password for the certificate store. After you change the password, you must re-open the certificate store before you can work with the certificates in it. Next you can create an application definition for using the certificate to sign objects.
  7. After you re-open the certificate store, select Manage Applications in the navigation frame to display a list of tasks.
  8. From the task list, select Add application to begin the process of creating an object signing application definition to use a certificate to sign objects.
  9. Complete the form to define your object signing application and click Add.
    This application definition does not describe an actual application, but rather describes the type of objects that you plan to sign with a specific certificate. Use the online help to determine how to complete the form.
  10. Click OK to acknowledge the application definition confirmation message and display the Manage Applications task list.
  11. From the task list, select Update certificate assignment to display a list of object signing application IDs for which you can assign a certificate.
  12. Select your application ID from the list and click Update Certificate Assignment.
  13. Select the certificate that the local CA on the host system created and click Assign New Certificate.

When you finish these tasks, you have everything that you need to begin signing objects to ensure their integrity.

When you distribute signed objects, those who receive the objects must use DCM to verify the signature on the objects to ensure that the data is unchanged and to verify the identity of the sender. To validate the signature, the receiver must have a copy of the signature verification certificate. You must provide a copy of this certificate as part of the package of signed objects.

The receiver also must have a copy of the CA certificate for the CA that issued the certificate that you used to sign the object. If you signed the objects with a certificate from a well-known Internet CA, the receiver's version of DCM will already have a copy of the necessary CA certificate. However, you must provide a copy of the CA certificate, in a separate package, along with the signed objects if necessary. For example, you must provide a copy of the local CA certificate if you signed the objects with a certificate from a local CA. For security reasons, you must provide the CA certificate in a separate package or publicly make the CA certificate available at the request of those who need it.

*OBJECTSIGNING certificate store exists

You can use the certificates in the transferred certificate store files in an existing *OBJECTSIGNING certificate store on a system. To do so, you must import the certificates from the certificate store files into the existing *OBJECTSIGNING certificate store. However, you cannot import the certificates directly from the .KDB and .RDB files because they are not in a format that the DCM import function can recognize and use. You can add the certificates into the existing *OBJECTSIGNING certificate store by opening the transferred files as an Other System Certificate Store on the target system. You can then export the certificates directly into the *OBJECTSIGNING certificate store. You must export a copy of both the object signing certificate itself and the local CA certificate from the transferred files.

To export the certificates from the certificate store files directly into the *OBJECTSIGNING certificate store, complete these steps on the target system:

  1. Start DCM.
  2. In the navigation frame, click Select a Certificate Store and specify Other System Certificate Store as the certificate store to open
  3. When the Certificate Store and Password page displays, provide the fully qualified path and file name for the certificate store files. Also provide the password that you used when you created them on the host system and click Continue.
  4. In the navigation frame, select Manage Certificate Store and select Change password from the list of tasks.
    Complete the form to change the password for the certificate store.
    Note: Be sure to select the Automatic login option when you change the password for the certificate store. Using this option ensures that DCM stores the new password so that you can use all DCM certificate management functions on the new store. If you do not change the password and select the Automatic login option, you may encounter errors when exporting the certificates from this store into the *OBJECTSIGNING certificate store.

    After you change the password, you must re-open the certificate store before you can work with the certificates in it.

  5. In the navigation frame, click Select a Certificate Store and select Other System Certificate Store as the certificate store to open.
  6. When the Certificate Store and Password page displays, provide the fully qualified path and file name of the certificate store file, provide the new password, and click Continue.
  7. After the navigation frame refreshes, select Manage Certificates in the navigation frame to display a list of tasks and select Export certificate.
  8. Select Certificate Authority (CA) as the type of certificate to export and click Continue.
    Note: The wording for this task assumes that when you work with an Other System Certificate Store that you are working with server or client certificates. This is because this type of certificate store is designed for use as a secondary certificate store to the *SYSTEM certificate store. However, using the export task in this certificate store is the easiest way to add the certificates from the transferred files into the existing *OBJECTSIGNING certificate store.
  9. Select the local CA certificate to export and click Export.
    Note: You must export the local CA certificate into the certificate store before you export the object signing certificate into the certificate store. If you export the object signing certificate first, you may encounter an error because the local CA certificate does not exist in the certificate store.
  10. Select Certificate store as the destination for the exported certificate and click Continue.
  11. Enter *OBJECTSIGNING as the target certificate store, enter the password for the *OBJECTSIGNING certificate store, and click Continue.
  12. Now you can export the object signing certificate into the *OBJECTSIGNING certificate store. Re-select the Export certificate task.
  13. Select Server or client as the type of certificate to export and click Continue.
  14. Select the appropriate certificate to export and click Export.
  15. Select Certificate store as the destination for the exported certificate and click Continue
  16. Enter *OBJECTSIGNING as the target certificate store, enter the password for the *OBJECTSIGNING certificate store, and click Continue. A message displays to indicate that the certificate exported successfully or to provide error information if the export process failed.
    Note: To use this certificate to sign objects, you must now assign the certificate to an object signing application.