Managing the certificate assignment for an application

You must use Digital Certificate Manager (DCM) to assign a certificate to an application before the application can perform a secure function, such as establishing a Transport Layer Security (TLS) session or signing an object.

To assign a certificate to an application, or to change the certificate assignment for an application, follow these steps:

  1. Start DCM. Refer to Starting DCM.
  2. Click Select a Certificate Store and select the appropriate certificate store. (This is either the *SYSTEM certificate store or the *OBJECTSIGNING certificate store depending on the type of application to which you are assigning a certificate.)
    Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
  3. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
  4. In the navigation frame, select Manage Applications to display a list of tasks.
  5. If you are in the *SYSTEM certificate store, select the type of application to manage. (Select either Server or Client application, as appropriate.)
  6. From the task list, select Update certificate assignment to display a list of applications for which you can assign a certificate.
  7. Select an application from the list and click Update Certificate Assignment to display a list of certificates that you can assign to the application.
  8. Select one to four certificates from the list and then click Update Certificate Assignment. DCM displays a message to confirm your certificate selection for the application. An *OBJECTSIGNING certificate store, can assign only one certificate.
    Note: If you are assigning a certificate to a TLS-enabled application that supports the use of certificates for client authentication, you can define a CA trust list for the application. This ensures that the application can validate only those certificates from CAs that you specify as trusted. If users or a client application presents a certificate from a CA that is not specified as trusted in the CA trust list, the application will not accept it as a basis for valid authentication.

When you change or remove a certificate for an application, the application may or may not be able to recognize the change if the application is running at the time you change the certificate assignment. For example, IBM® i Access for Windows servers will apply any certificate changes that you make automatically. However, you may need to stop and start Telnet servers, the IBM HTTP Server for i, or other applications before these applications can apply your certificate changes.