Managing public Internet certificates for TLS communications sessions
You can use Digital Certificate Manager (DCM) to manage public Internet certificates for your applications to use for establishing secure communications sessions with Transport Layer Security (TLS).
If you do not use DCM to operate your own local Certificate Authority (CA), you must first create the appropriate certificate store for managing the public certificates that you use for TLS. This is the *SYSTEM certificate store. When you create a certificate store, DCM takes you through the process of creating the certificate request information that you must provide to the public CA to obtain a certificate.
To use DCM to manage and use public Internet certificates so that your applications can establish TLS communications sessions, follow these steps:
- Start DCM. Refer to Starting DCM.
In the navigation frame of DCM, select Create New Certificate Store to
start the guided task and complete a series of forms. These forms guide you through the process of
creating a certificate store and a certificate that your applications can use for TLS
Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
- Select *SYSTEM as the certificate store to create and click Continue.
- Select Certificate Authority (CA) certificates from the list that are to be populated into the certificate store and used for authenticating Internet certificates, and click Continue.
- Select Yes to create a certificate as part of creating the *SYSTEM certificate store and click Continue.
- Select VeriSign or other Internet Certificate
Authority (CA) as the signer of the new certificate, and
click Continue to display a form that allows
you to provide identifying information for the new certificate.
Note: If your system has an IBM® Cryptographic Coprocessor installed and varied on, DCM allows you to select how to store the private key for the certificate as the next task. If your system does not have a coprocessor, DCM automatically places the private key in the *SYSTEM certificate store. If you need help with selecting how to store the private key, see the online help in DCM.
- Complete the form and click Continue to display a confirmation page. This confirmation page displays the certificate request data that you must provide to the public Certificate Authority (CA) that will issue your certificate. The Certificate Signing Request (CSR) data consists of the public key and other information that you specified for the new certificate.
- Carefully copy and paste the CSR data into the certificate
application form, or into a separate file, that the public CA requires
for requesting a certificate. You must use all the CSR data, including
both the Begin and End New Certificate Request lines. When you exit this
page, the data is lost and you cannot recover it. Send the application
form or file to the CA that you have chosen to issue and sign your
certificate. Note: You must wait for the CA to return the signed, completed certificate before you can finish this procedure.
To use certificates with the HTTP Server for your system, you must create and configure your Web server before working with DCM to work with the signed completed certificate. When you configure a Web server to use TLS, an application ID is generated for the server. You must make a note of this application ID so that you can use DCM to specify which certificate this application must use for TLS.
Do not end and restart the server until you use DCM to assign the signed completed certificate to the server. If you end and restart the *ADMIN instance of the Web server before assigning a certificate to it, the server will not start and you will not be able to use DCM to assign a certificate to the server.
- After the public CA returns your signed certificate, start DCM.
- In the navigation frame, click Select a Certificate Store and select *SYSTEM as the certificate store to open.
- When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
- Wait for the navigation frame to refresh.
- If the root CA certificate that is associated with your signed certificate is not in the certificate store, select Manage Certificate Store and select Populate with CA Certificates to add the root CA certificate that is associated with the signed certificate.
- Select Manage Certificates to display a list of tasks.
- From the task list, select Import certificate to begin the process of importing the signed certificate into the *SYSTEM certificate store. After you finish importing the certificate, you can specify the applications that must use it for TLS communications.
- In the navigation frame, select Manage Applications to display a list of tasks.
- From the task list, select Update certificate assignment to display a list of TLS-enabled applications for which you can assign a certificate.
- Select an application from the list and click Update Certificate Assignment.
- Select the certificate that you imported and click Assign
New Certificate. DCM displays a message to confirm your
certificate selection for the application. Note: Some TLS-enabled applications support client authentication based on certificates. If you want an application with this support to more narrowly define the CA certificates that it trusts from the list of enabled CA certificates in the *SYSTEM certificate store, you must define a CA trust list for the application and select CAs from the *SYSTEM store to trust. This trust list ensures that the application can validate only those certificates from CAs that you specify as trusted. If a user or a client application presents a certificate from a CA that is not specified as trusted in the CA trust list, the application does not accept it as a basis for valid authentication. If a CA trust list is not defined, all enabled CA certificates in the *SYSTEM certificate store are trusted.
When you finish the guided task, you have everything that you need to begin configuring your applications to use TLS for secure communications. Before users can access these applications through an TLS session, they must have a copy of the CA certificate for the CA that issued the server certificate. If your certificate is from a well-known Internet CA, your users' client software may already have a copy of the necessary CA certificate. If users need to obtain the CA certificate, they must access the Web site for the CA and follow the directions the site provides.