|
To request a new certificate, first go to the PKI Services home page.
(See Figure 1.)
Perform the following steps to request a new certificate: - Click
the down arrow to the right of the field beside Request a
new certificate using a model. This displays a list of certificate
templates from which you can select.
For SCEP preregistration: Do
not follow these steps to request a SCEP (preregistration) certificate
template. Instead, go to Steps for preregistering an SCEP client.
The
following list shows the certificate templates that PKI Services provides
by default. This list might differ from the certificate templates
your installation provides because your installation can customize
the certificate templates and Web pages. - One-year SAF server certificate
- One-year SAF browser certificate
- One-year PKI SSL browser certificate (See Figure 1 to see a sample of this Web page.)
- One-year PKI SSL S/MIME browser certificate
- One-year PKI generated key certificate
- Two-year PKI browser certificate for authenticating to z/OS
- Two-year PKI Authenticode - code signing server certificate
- Two-year PKI Windows logon
certificate
- Five-year PKI SSL server certificate
- n-year PKI browser certificate for extensions demonstration
- Five-year SCEP certificate - Preregistration
- Five-year PKI IPSEC server (firewall) certificate
- Five-year PKI intermediate CA server certificate
_______________________________________________________________
- Click one of the items in the list. The drop-down list then collapses
so that only the certificate you selected appears in the field and
is highlighted.
_______________________________________________________________
- Click Request certificate. A form where you fill in information
is displayed.
Note: You might need to click through some additional
panels specific to your browser (for example, clicking Next on a
Mozilla-based browser or answering Do you want to proceed? on
Internet Explorer) before the certificate request form appears.
_______________________________________________________________
- Fill in the necessary information in the certificate request form.
The
form that appears depends on the certificate you are requesting and,
in some instances, the fields that appear on the form depend on the
browser you are using. Example: If you request a one-year SSL
browser certificate, the form shown in Figure 1 appears.
Figure 1. One-year SSL browser
certificate request form
Note: In the
case of the one-year SSL browser certificate, fill in your common
name. (See Table 1 for
descriptions of fields.) If you are using a Mozilla-based browser,
select a key size from a drop-down list. Alternately,
if you are using Internet Explorer, click the drop-down lists to select
your cryptographic service provider and to specify whether to use
strong private key protection.
_______________________________________________________________
- If you are requesting a server or device certificate, you need
to supply a base64-encoded PKCS #10 certificate request. Use software
specific to that server to generate the PKCS #10 request before going
to the PKI Web site. Paste the request into the Web page as shown
in Figure 2.
For example, you could
use the RACDCERT command to generate the PKCS #10 request. Assume
that the server has the distinguished name OU=Inventory,O=XYZZY,C=US
and a domain name xyzzy.com. This server runs on z/OS® with the user ID INVSERV. First, generate
a self-signed certificate for the server and assign the label "Inventory
Server" to the certificate. The certificate is associated with
the user ID that is associated with the server (INVSERV). RACDCERT ID(INVSERV)
GENCERT
SUBJECTSDN(CN(’xyzzy.com’)
OU(’Inventory’)
O(’XYZZY’)
C(’US’))
WITHLABEL(’Inventory Server’)
Next, generate a
PKCS #10 Base64-encoded certificate request based on the certificate
you just created, and write the request to a data set. RACDCERT ID(INVSERV)
GENREQ(LABEL(’Inventory Server’))
DSN(’WAIC.INVSERV.GENREQ’)
Copy the PKCS #10 request
from the data set WAIC.INVSERV.GENREQ and paste it into the field Base64
encoded PKCS#10 certificate request.
Figure 2. Supplying the PKCS #10 certificate
request for a server or device certificate
For
server certificates where a base64-encoded PKCS #10 certificate request
is supplied, specify one or more of the fields related to the subject's
distinguished name only if you wish to change the distinguished name
supplied in the PKCS #10 certificate request. If you change one of
these fields, the subject's distinguished name specified in the PKCS
#10 certificate request is ignored and you must respecify the entire
distinguished name (all fields). For a list of the fields related
to the subject's distinguished name, see Table 1.
_______________________________________________________________
- Fill in the passphrase on the certificate request form (twice).
This is a value known only to you. Pick a value that you can easily
remember because you will be challenged to supply the same passphrase
when you pick up your certificate. Do not use a sensitive value such
as your ATM pin or login password.
_______________________________________________________________
- Fill in any optional information as desired. When you are satisfied
with the information you have entered, click Submit certificate
request. If the request is successful, the results depend on the
type of certificate you requested.
- For all certificate types except one-year PKI generated key certificates,
you see a page like the one shown in Figure 3,
which tells you your transaction ID.
Figure 3. Successful request displays transaction ID
- Make a note of the transaction ID. (You can copy and paste the
transaction ID to a file so that you have it for future reference,
or you can write it in the box below. The reason for keeping a record
of the transaction ID is that, depending on how you go to the Web
page to retrieve your certificate (see Figure 4),
you might have to fill in the transaction ID on that Web page.)
Transaction ID:
- Click Continue. This displays the following
Web page:
Figure 4. Web
page to retrieve your certificate
- Bookmark this Web page.
Note: - After you submit the request for a certificate, your PKI Services administrator
might need to approve the request before you can pick up your certificate.
The amount of time that this takes can vary from a few minutes to
a few days, depending on your installation. You bookmark this Web
page so that you can return to it at a later time.
- If your installation has enabled e-mail notification and you supplied
a valid e-mail address when submitting your certificate request, then
you will receive an e-mail message when your certificate is ready
for pick-up or if PKI Services rejects
your certificate request.
- From this Web page, you can start the steps to retrieve your certificate
(see Steps for retrieving a certificate from a bookmarked Web page) or you can return to the PKI Services home page
(by clicking Home).
- For a one-year PKI generated key certificate, you see a page like
the one shown in Figure 5
Figure 5. Successful
request for a one-year PKI generated key certificate
Unlike other types of certificates, this page does not show
you the transaction ID for your certificate. Instead, PKI Services sends an
e-mail to the address you specified in the request. The e-mail contains
a link to the certificate.
_______________________________________________________________
|