Types of digital certificates
When you use Digital Certificate Manager (DCM) to manage your certificates, DCM organizes and stores them and their associated private keys in a certificate store based on the type of certificate.
You can use DCM to manage the following types of certificates:
- Certificate Authority (CA) certificates
- A Certificate Authority certificate is a digital credential that validates the identity of the Certificate Authority (CA) that owns the certificate. The Certificate Authority's certificate contains identifying information about the Certificate Authority, as well as its public key. Others can use the CA certificate's public key to verify the authenticity of the certificates that the CA issues and signs. A Certificate Authority certificate can be signed by another CA, such as VeriSign, or can be self-signed if it is an independent entity. The local CA that you create and operate with Digital Certificate Manager is an independent entity. Others can use the CA certificate's public key to verify the authenticity of the certificates that the CA issues and signs. To use a certificate for TLS, signing objects, or verifying object signatures, you must also have a copy of the issuing CAs certificate.
- Server or client certificates
- A server or client certificate is a digital credential that identifies the server or client application that uses the certificate for secure communications. Server or client certificates contain identifying information about the organization that owns the application, such as the system's distinguished name. The certificate also contains the system's public key. A server must have a digital certificate to use the Transport Layer Security (TLS) for secure communications. Applications that support digital certificates can examine a server's certificate to verify the identity of the server when the client accesses the server. The application can then use the authentication of the certificate as the basis for initiating a TLS-encrypted session between the client and the server. You can manage these types of certificates from the *SYSTEM certificate store only.
- Object signing certificates
- An object signing certificate is a certificate that you use to digitally "sign" an object. By signing the object, you provide a means by which you can verify both the object's integrity and the origination or ownership of the object. You can use the certificate to sign a variety of objects, including most objects in the Integrated File System and *CMD objects. You can find a complete list of signable objects in the Object signing and signature verification topic. When you use an object signing certificate's private key to sign an object, the receiver of the object must have access to a copy of the corresponding signature verification certificate in order to properly authenticate the object signature. You can manage these types of certificates from the *OBJECTSIGNING certificate store only.
- Signature verification certificates
- A signature verification certificate is a copy of an object signing certificate without that certificate's private key. You use the signature verification certificate's public key to authenticate the digital signature created with an object signing certificate. Verifying the signature allows you to determine the origin of the object and whether it has been altered since it was signed. You can manage these types of certificates from the *SIGNATUREVERIFICATION certificate store only.
- User certificates
- A user certificate is a digital credential that validates the identity of the client or user that owns the certificate. Many applications now provide support that allows you to use certificates to authenticate users to resources instead of user names and passwords. Digital Certificate Manager (DCM) automatically associates user certificates that your private CA issues with the user's IBM® i user profile. You can also use DCM to associate user certificates that other Certificate Authorities issue with the user's IBM i user profile.
Note: If you have an IBM Cryptographic Coprocessor installed on your system, you can choose other private key storage options for your certificates (with the exception of object signing certificates). You can elect to store the private key on the cryptographic coprocessor itself. Or, you can use the cryptographic coprocessor to encrypt the private key and store it in a special key file instead of in a certificate store. User certificates and their private keys, however, are stored on the user's system, either in browser software or in a file for use by other client software packages.