This option manages certificates with private keys. A list of
key labels is displayed. Pressing the ENTER key without making a
selection will display the next set of labels. Selecting one of the
label numbers will display this menu:
Figure 1. Key and Certificate
Menu
Key and Certificate Menu
Label: Certificate_label_name
1 - Show certificate information
2 - Show key information
3 - Set key as default
4 - Set certificate trust status
5 - Copy certificate and key to another
database/token
6 - Export certificate to a file
7 - Export certificate and key to a file
8 - Delete certificate and key
9 - Change label
10 - Create a signed certificate and key
11 - Create a certificate renewal request
0 - Exit program
Enter option number (press ENTER to return to
previous menu):
===>
Figure 2. Key and Certificate
Menu
Token Key and Certificate Menu
Label: Certificate_label_name
1 - Show certificate information
2 - Show key information
3 - Set key as default
4 - Set certificate trust status
5 - Copy certificate and key to another
database/token
6 - Export certificate to a file
7 - Export certificate and key to a file
8 - Delete certificate and key
9 - Change label
10 - Create a signed certificate and key
11 - Create a certificate renewal request
0 - Exit program
Enter option number (press ENTER to return to
previous menu):
===>
- Show certificate information
- This option displays information about the X.509 certificate associated
with the private key.
- Show key information
- This option displays information about the private key.
- Set key as default
- This option makes the current key the default key for the database.
- Set certificate trust status
- This option sets or resets the trusted status for the X.509 certificate.
A certificate cannot be used for authentication unless it is trusted.
Note: All z/OS® PKCS #11 token certificates
are automatically created with the status set to trusted. Changing
of the trust status is not supported for z/OS PKCS #11 token certificates.
- Copy certificate and key to another database/token
- This option copies the certificate and key to another token or
a database. An error is returned if the certificate is already in
the token/database or if the label is not unique. A certificate and
key may only be copied into a FIPS mode database from another
FIPS mode database. A certificate and key may not be copied from a
non-FIPS mode database or a PKCS #11 token to a FIPS mode database.
- Export certificate to a file
- This option exports just the X.509 certificate to a file. The
supported export formats are ASN.1 Distinguished Encoding Rules (DER)
and PKCS #7 (Cryptographic Message Syntax)
- Export certificate and key to a file
- This option exports the X.509 certificate and its private key
to a file. The private key is encrypted when it is written to the
file. The password you select will be needed when you import the
file. The supported export formats for a key database file are PKCS
#12 Version 1 (obsoleted) and PKCS #12 Version 3. For z/OS PKCS #11 tokens and FIPS mode databases,
the export format supported is PKCS #12 Version 3. The strong encryption
option uses Triple DES to encrypt the private key while the export
encryption option uses 40-bit RC2. Strong encryption is the only
supported option when exporting from a FIPS database. The export
file will contain the requested certificate and its certification
chain.
- Delete certificate and key
- The certificate and its associated private key are deleted.
- Change label
- This option will change the label for the database record.
- Create a signed certificate and key
- This option will create a new certificate and associated public/private
key pair. The new certificate will be signed using the certificate
in the current record and then stored in either the key database file
or z/OS PKCS #11 token.
DSS
and DH key generation parameters must be compatible with the requested
key type and key size.
Keys are in the same domain if they
have the same set of key generation parameters. See FIPS 186-2: DIGITAL SIGNATURE
STANDARD (DSS) and RFC
2631: Diffie-Hellman Key Agreement Method for more
information about the key generation parameters. The subject name
and one or more subject alternate names can be specified for the new
certificate.
The subject name is always an X.500 directory name
while a subject alternate name can be an X.500 directory name, a domain
name, an email address, an IP address, or a uniform resource identifier.
An X.500 directory name consists of common name, organization, and
country attributes with optional organizational unit, city/locality,
and state/province attributes. A domain name is one or more tokens
separated by periods. An email address consists of a user name and
a domain name separated by '@'. An IP address is an IPv4 address (nnn.nnn.nnn.nnn)
or an IPv6 address (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn). A uniform
resource identifier consists of a scheme name, a domain name, and
a scheme-specific portion.
The signature algorithm used when
signing the certificate is derived from the key algorithm of the signing
certificate and the following digest type:
- For RSA signatures, the digest type matches that used in the signature
algorithm of the signing certificate. If the digest type is not a
SHA-based digest, then SHA-1 is used.
- For DSA signatures using a 1024-bit DSA key, the digest type is
SHA-1. When using a 2048-bit DSA key, the user is offered a choice
of SHA-2 digest algorithms.
- For ECC Signatures, the digest type is the suggested digest for
the key size of the ECC private key, as specified in Table 1.
Possible signature algorithms are:
- x509_alg_sha1WithRsaEncryption
- x509_alg_sha224WithRsaEncryption
- x509_alg_sha256WithRsaEncryption
- x509_alg_sha384WithRsaEncryption
- x509_alg_sha512WithRsaEncryption
- x509_alg_dsaWithSha1
- x509_alg_dsaWithSha224
- x509_alg_dsaWithSha256
- x509_alg_ecdsaWithSha256
- x509_alg_ecdsaWithSha384
- x509_alg_ecdsaWithSha512
- Create a certificate renewal request
- This option will create a certification request using the subject
name and public/private key pair from an existing certificate. The
certificate request will be exported to a file in Base64 format. This
file can then be sent to a certification authority for processing.
The certificate returned by the certification authority can then be
processed using option 5 (Receive requested certificate or a renewal
certificate) on the Key Management Menu or Token Management
Menu. The new certificate will replace the existing certificate.