Managing user certificates

You can use Digital Certificate Manager (DCM) to obtain certificates with TLS or associate existing certificates with their IBM® i user profiles.

If users access your public or internal servers through a TLS connection, they must have a copy of the Certificate Authority (CA) certificate that issued the server's certificate. They must have the CA certificate so that their client software can validate the authenticity of the server certificate to establish the connection. If your server uses a certificate from a public CA, your users' software might already possess a copy of the CA certificate. Consequently, neither you as a DCM administrator, nor your users, need take any action before they can participate in a TLS session. However, if your server uses a certificate from a private local CA, your users must obtain a copy of the local CA certificate before they can establish a TLS session with the server.

Additionally, if the server application supports and requires client authentication through certificates, users must present an acceptable user certificate to access resources that the server provides. Depending on your security needs, users can present a certificate from a public Internet CA or one that they obtain from a local CA that you operate. If your server application provides access to resources for internal users who currently have IBM i user profiles, you can use DCM to add their certificates to their user profiles. This association ensures that users have the same access and restrictions to resources when presenting certificates as their user profile grants or denies.

Digital Certificate Manager (DCM) allows you to manage certificates that are assigned to an IBM i user profile. If you have a user profile with *SECADM and *ALLOBJ special authorities, you can manage user profile certificate assignments for yourself or for other users. When no certificate store is open, or when the local Certificate Authority (CA) certificate store is open, you can select Manage User Certificates in the navigation frame to access the appropriate tasks. If a different certificate store is open, user certificate tasks are integrated into the tasks under Manage Certificates.

Users without *SECADM and *ALLOBJ user profile special authorities can manage their own certificate assignments only. They can select Manage User Certificates to access tasks that allow them to view the certificates associated with their user profiles, remove a certificate from their user profiles, or assign a certificate from a different CA to their user profiles. Users, regardless of the special authorities for their user profiles, can obtain a user certificate from the local CA by selecting the Create Certificate task in the main navigation frame.

To learn more about how to use DCM to manage and create user certificates, review these topics: