Application definitions

Digital Certificate Manager (DCM) allows you to manage application definitions that will work with TLS configurations and object signing.

To use DCM to work with TLS application definitions and their certificates, the application must first be registered with DCM as an application definition so that it has a unique application ID. Application developers register TLS-enabled applications by using an API (QSYRGAP, QsyRegisterAppForCertUse) to create the application ID in DCM automatically. Most IBM® i TLS-enabled applications are registered with DCM so that you can easily use DCM to assign a certificate to them so that they can establish an TLS session. For applications that you write or purchase, you can define an application definition and create the application ID for it within DCM itself. You must be working in the *SYSTEM certificate store to create an TLS application definition for either a client application or a server application.

You can assign up to four certificates to a client or server application ID. If you assign more than one certificate, the system determines which certificate to use during TLS session establishment. The chosen certificate is based on protocol information that is negotiated with the peer. For more information on how the system processes more than one certificate that is assigned to an application, see Multiple Certificate Selection.

Applications have several settings that can be used by the system when an TLS session is established such as protocols, cipher suite specification options, extended renegotiation critical mode, Serve Name Indication (SNI), and signature algorithms. For more information on these settings, see DCM Application Definitions.

To use a certificate to sign objects, you first must define an application for the certificate to use. Unlike a TLS application definition, an object signing application does not describe an actual application. Instead, the application definition that you create might describe the type or group of objects that you intend to sign. You must be working in the *OBJECTSIGNING certificate store to create an object signing application definition.

Another application setting, "Define the CA trust list", can be used to determine whether the application refers to a list of trusted CAs, or if the application trusts all CAs with a status of enabled in the *SYSTEM certificate store.

If this setting is set to Yes, it allows the application to more narrowly define the CA certificates that it trusts from the list of enabled CA certificates in the *SYSTEM certificate store. If you select this value, the application trusts all CA certificates until you define a CA trust list for the application. In other words, an empty CA trust list behaves the same as selecting No for this setting.

If this setting is set to No, the application trusts all the enabled CA certificates for the *SYSTEM certificate store.