Using the coprocessor master key to encrypt the certificate private key

For extra security to protect access to and use of a certificate's private key, you can use the master key of an IBM® Cryptographic Coprocessor to encrypt the private key and store the key in a special key file. You can select this key storage option as part of creating or renewing a certificate in Digital Certificate Manager (DCM).

Start of changeBefore you can use this option successfully, you must use the IBM Cryptographic Coprocessor configuration Web interface to create an appropriate keystore file. Also, you must use the coprocessor configuration Web interface to associate the keystore file with the coprocessor device description that you want to use. You can access the coprocessor configuration Web interface from the IBM Navigator for i Bookmarks tab. End of change

Start of changeIf your system has more than one coprocessor device installed and varied on, you can choose to share the certificate's private key among multiple devices. In order for device descriptions to share the private key, all of the devices must have the same master key. The process for distributing the same master key to multiple devices is called cloning. Sharing the key among devices allows you to use Transport Layer Security (TLS) load balancing, which can improve performance for secure sessions. End of change

Start of changeFollow these steps to create a certificate with private key encrypted by a hardware device and stored in a key store. End of change

  1. Start of changeStart DCM. Refer to Starting DCM. End of change
  2. Start of changeIn the navigation frame, select Open Certificate Store and select *SYSTEM as the certificate store to open.End of change
  3. Start of changeEnter the password for the certificate store and click Open. End of change
  4. Start of changeFrom the Certificates pane, select Create to start create certificate form.End of change
  5. For Key Storage Location attribute, select Encrypted by hardware, stored in software.
  6. Start of changeFor Cryptographic Device attribute, select the appropriate cryptographic coprocessor.End of change
  7. Start of changeIf you have multiple coprocessor devices available, select the name of one or more device descriptions with which you want to share the certificate's private key.
    Note: The device descriptions that you select must have the same master key as the device you selected on the previous page. To verify that the master key is the same on the devices, use the Master Key Verification task in the Cryptographic Coprocessor Configuration Web interface. You can access the coprocessor configuration Web interface from the IBM Navigator for iBookmarks tab.
    End of change
  8. Start of changeComplete the create certificate form and click Create. End of change