Creating the server truststore

If you want to use certificate authentication, you must create the server truststore so that the server trusts the client certificates. You do not need to create the server truststore for any other authentication method. The server truststore of trusted Certificate Authority (CA) certificates is a single file in the /etc/security/mfa/certificates directory that contains the client PIV/CAC card issuing certificate chain in Privacy Enhanced Mail (PEM) format.

About this task

The client certificate issuing chain, including any intermediate certificates and the root CA, must be in PEM format.

Note: The procedure to obtain the certificate chain of the PIV/CAC card varies by the vendor and application.

To create the truststore, complete the following steps:


  1. If the certificates are not already in the PEM format, convert them. For example, if the certificates are currently in the Distinguished Encoding Rules (DER) format, you can use the openssl x509 command to convert them. The following example converts one intermediary certificate and the root CA certificate.
    openssl x509 -in inter_key.cer -inform der -outform pem -out inter_key.pem
    openssl x509 -in ca_key.cer -inform der -outform pem -out ca_key.pem
  2. Concatenate the certificate .pem files into a single file.
    cat inter_key.pem > client.pem
    cat ca_key.pem >> client.pem
  3. Use the secure copy (scp) command to copy the resulting file to the /etc/security/mfa/certificates directory in the IBM® MFA server system.
  4. Specify the location of the file in the Trust Store Path field of the IBM MFA server configuration, as described in Configuring server options.
  5. Optionally, edit the server configuration input file you created in Completing the server setup to include the server truststore.
    # initial trace level for MFA server
    # location of the P12 identity certificate for the server
    P12 LOCATION=/etc/security/mfa/certificates/secsrv.p12
    # PKCS11 token used while encrypting P12 password
    # directory or PEM file containing CAs that will be trusted by the server
    # CAS LOCATION=/etc/security/mfa/certificates/client.pem
    # port to use for server authentication
    # port to use for mutual authentication
    # port to use for ZVM Host communications
    ZVM PORT=6787
    • <CAS LOCATION> is the truststore (client.pem in the example) you created.
  6. After you set the Trust Store Path field of the IBM MFA server configuration, you need to stop and restart the IBM MFA daemon. However, you will probably find it more convenient to first configure the certificate authentication method as described in Configuring PIV/CAC or X.509 Certificate authentication and then restart the IBM MFA server.