Scenario: To request for a third-party certificate

IBM® Security Guardium® Key Lifecycle Manager can generate a certificate request in PKCS #10 format that you can send to a certificate authority. Use the returned CA certificate to protect data on an encryption-enabled device, or for TLS communication.

  1. Before you begin, determine whether the usage of the certificate is for TLS authentication, or for secure communication with 3592 tape drives or DS8000® Turbo drives.
  2. For each of the certificates that you anticipate in your next business cycle, create a certificate request.

    The generated certificate request files reside in the SKLM_INSTALL_HOME directory. For example, a generated certificate request might be a file such as SKLM_INSTALL_HOME\080419154137–sslcert001.csr.

    The certificate request file is an encoded, base64 format, which is not readable with an editor.

    The certificate request file contains the base64 format information, including:
    • The version number.
    • The subject name, which is the X.500 name of the requestor. For example, an X.500 name contains values for a common name (cn), organization, and other values that identify the subject.
    • The public key data and the algorithm unique identifier. You can use the algorithm, such as RSA or ECDSA.
    • A generated signature for the data that is signed by the private key of the user.

    The keystore database contains the private key that was used to generate the signature for the certificate request.

    Additionally, information related to the certificate request is stored in the database. The information includes the X.500 subject name, the start, expiration, and retirement date, and other values for other attributes that are normally specified for a certificate, including a pending state for the certificate request. The values are updated when the returned certificate is imported.

  3. Protect certificate requests until the certificate returns. It is important to run a backup task for the keystore database after you create and send a certificate request, just as when you change actual keys or certificates in a keystore database.
  4. After you ensure that a backup file is in place, manually send a certificate request to your selected certificate authority, by using the secure communication process that your site or the certificate authority requires for email or HTTPS transmission.
  5. Import a returned certificate that matches an earlier certificate request.

    Upon receipt of a valid request, the certificate authority returns a DER, base64, or PEM encoded certificate to you. The certificate contains the public key that was provided in the certificate request, and a signature from the certificate authority, which specify that the public key is valid, and that your enterprise is the authentic owner. The certificate subject name is the X.500 subject name that you provided in the certificate request.

  6. Again back up the keystore database, which contains the new certificate.