Certificate Authority

A Certificate Authority (CA) is a trusted central administrative entity that can issue digital certificates to users and servers.

The trust in the CA is the foundation of trust in the certificate as a valid credential. A CA uses its private key to create a digital signature on the certificate that it issues to validate the certificate's origin. Others can use the CA certificate's public key to verify the authenticity of the certificates that the CA issues and signs.

A CA can be either a public commercial entity, such as VeriSign, or it can be a private entity that an organization operates for internal purposes. Several businesses provide commercial Certificate Authority services for Internet users. Digital Certificate Manager (DCM) allows you to manage certificates from both public CAs and private CAs.

Also, you can use DCM to operate your own private local CA to issue private certificates to systems and users. When the local CA issues a user certificate, DCM automatically associates the certificate with the user's IBM® i user profile or other user identity. Whether DCM associates the certificate with a user profile or with a different user identity for the user depends on whether you configure DCM to work with Enterprise Identity Mapping (EIM). This ensures that the access and authorization privileges for the certificate are the same as those for the owner's user profile.

Trusted root status

The term trusted root refers to a special designation that is given to a Certificate Authority certificate. This trusted root designation allows a browser or other application to authenticate and accept certificates that the Certificate Authority (CA) issues.

When you download a Certificate Authority's certificate into your browser, the browser allows you to designate it as a trusted root. Other applications that support using certificates must also be configured to trust a CA before the application can authenticate and trust certificates that a specific CA issues.

You can use DCM to enable or disable the trust status for a Certificate Authority (CA) certificate. When you enable a CA certificate, you can specify that applications can use it to authenticate and accept certificates that the CA issues. When you disable a CA certificate, you cannot specify that applications can use it to authenticate and accept certificates that the CA issues.

Certificate Authority policy data

When you create a local Certificate Authority (CA) with Digital Certificate Manager, you can specify the policy data for the local CA. The policy data for a local CA describes the signing privileges that it has. The policy data determines:
  • Whether the local CA can issue and sign user certificates.
  • How long certificates that the local CA issues are valid.