Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Creating a certificate to be used with a fixed Diffie-Hellman key exchange z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
Create a server certificate to be used during an SSL handshake using a fixed Diffie-Hellman key exchange. Fixed Diffie-Hellman requires the certificates being used by both sides of the exchange to be based off the same generation parameters. In order for each side to use the same generation parameters, a key parameter file must be created to be used as input to the certificate being signed. To create a key parameter file, from the Database Menu, enter 6. You are asked to select the key type and key size. Only 1024-bit DSA keys, 2048-bit DSA keys, or 2048-bit fixed Diffie-Hellman keys are valid for use in a FIPS database. When the key type is determined, you are prompted to enter a key parameter file name. The file name is interpreted relative to the current directory when gskkyman is invoked. You may also specify a fully qualified file name. Figure 1. Creating a key parameter file to be used
with Diffie-Hellman
When the key parameter file is created, the next step is to create the signed certificate by using an existing certificate in the key database file or z/OS® PKCS #11 token to sign the server certificate. From the Key Management Menu or Token Management Menu, select 1 - Manage keys and certificates to display the Key and Certificate List. From the Key and Certificate List, select a CA certificate by entering the appropriate selection number, and then choose option 10 to create a signed certificate and key. This requires the displayed certificate to contain an RSA or a DSA key and have signing capability. Select "User or server certificate" by choosing option 2 in the Certificate Usage menu, followed by option 4 - Certificate with a Diffie-Hellman key in the Certificate Key Algorithm menu, and then select the Diffie-Hellman key size. The key size must match the key size of the key parameters created previously. When the certificate type is determined, you are prompted to enter:
Figure 2. Creating a certificate to be used with
Diffie_Hellman
When the certificate is created, the next step is to determine if the certificate must be transferred to another database. If the certificate does not need to reside elsewhere, you must determine whether the certificate should be marked as the database's default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate. If the certificate must be transferred, see Copying a certificate (and private key) to a different key database or z/OS PKCS #11 token for more information. |
Copyright IBM Corporation 1990, 2014
|