Digital Certificate Management APIs
The digital certificate management APIs enable X.509 type certificates to be associated with a user profile.The APIs add, remove, list, and find certificates that are associated with user profiles.
This section also includes APIs for registering applications that use certificates. Applications that need to use certificates will make themselves known by registering themselves. As part of that registration, applications will identify an exit program that is to be called:
- whenever a certificate is assigned to the application or if the certificate assignment changes.
- whenever a Certificate Authority (CA) is added to or removed from the trust list for the application.
- whenever the information about the application is being changed.
- whenever the application is being deregistered.
The application is, therefore, not responsible for providing a user interface for certificate management. When the application starts, it can retrieve the name and location of the certificate assigned to the application and use it for initiating a Secure Sockets Layer (SSL) session or some other operation that requires a certificate.
The digital certificate management APIs are:
- Add CA Certificate Trust (QycdAddCACertTrust) allows you to add a trusted certificate authority (CA) certificate to the list of trusted CA certificates for an application.
- Add User Certificate (QSYADDUC, QsyAddUserCertificate) associates a certificate with an IBM i user profile.
- Add Validation List Certificate (QSYADDVC,QsyAddVldlCertificate) adds a certificate to a validation list.
- Check CA Certificate Trust (QycdCheckCACertTrust) verifies that the certificate authority (CA) certificates are trusted by the application.
- Check Validation List Certificate (QSYCHKVC, QsyCheckVldlCertificate) determines whether a certificate is in a validation list.
- Deregister Application for Certificate Use (QSYDRGAP, QsyDeregisterAppForCertUse) removes an application and all associated certificate information from the registration facility.
- Export Certificate Store (QYKMEXPK, QykmExportKeyStore)) exports a certificate store to a PKCS 12 version 3 standard file.
- Find Certificate User (QSYFNDCU, QsyFindCertificateUser) finds the user that is associated with a certificate.
- Generate and Sign User Certificate Request (QYCUGSUC) generates a user certificate request and then signs the certificate request using the local Certificate Authority (CA).
- Get Default Key Item (QYKMGDKI, QykmGetDefaultKeyItem) allows a user to extract the label of the default certificate in a certificate store.
- Import Certificate Store (QYKMIMPK, QykmImportKeyStore)) imports a certificate store from a PKCS 12 version 3 standard file.
- List User Certificates (QSYLSTUC, QsyListUserCertificates) lists the certificates in the user profile.
- List Validation List Certificates (QSYLSTVC, QsyListVldlCertificates) lists the certificates in the validation list.
- Open List of User Certificates (QSYOLUC) provides a list of user certificates associated with a user.
- Parse Certificate (QSYPARSC, QsyParseCertificate) parses a certificate and puts the results in the caller's storage.
- Register Application for Certificate Use (QSYRGAP, QsyRegisterAppForCertUse) registers an application with the registration facility.
- Remove CA Certificate Trust (QycdRemoveCACertTrust) allows you to remove a trusted certificate authority (CA) certificate from the list of trusted CA certificates for an application.
- Remove Certificate Usage (QycdRemoveCertUsage) allows you to remove usage of a certificate from a registered application.
- Remove User Certificate (QSYRMVUC, QsyRemoveUserCertificate) removes a certificate from an IBM i user profile.
- Remove Validation List Certificate (QSYRMVVC, QsyRemoveVldlCertificate) removes a certificate from a validation list.
- Renew a Digital Certificate (QycdRenewCertificate) allows you to request a new certificate signing request and import a signed certificate
- Retrieve Certificate Information (QYCURTVCI, QycuRetrieveCertificateInfo) retrieves information from server or CA certificates.
- Retrieve Certificate Usage Information (QycdRetrieveCertUsageInfo) retrieves information about one or more registered applications that use certificates and their associated certificate information.
- Retrieve Digital ID Configuration Information (QsyRetrieveDigitalIDConfig()) retrieves digital ID configuration information.
- Set Digital ID Configuration Information (QsySetDigitalIDConfig()) sets digital ID configuration information.
- Sign User Certificate Request (QYCUSUC) signs a user certificate request using the local Certificate Authority (CA).
- Update Certificate Usage (QycdUpdateCertUsage) allows you to update the certificate that is assigned to the registered application.
Note: All of these APIs, except Register and Deregister Application for Certificate Use, require that Digital Certificate Manager, option 34 of the IBM® i licensed program (5761-SS1), be installed.