You can use Digital Certificate Manager (DCM) to create and operate
your own local CA to issue private certificates for your applications.
DCM provides you with a guided task path that takes you through
the process of creating a CA and using it to issue certificates to your applications.
The guided task path ensures that you have everything you need to begin using
digital certificates to configure applications to use SSL and to sign objects
and verify object signatures.
Note: To use certificates with the
IBM® HTTP
Server for i , you must create and configure
your Web server before working with DCM. When you configure a Web server to
use SSL, an application ID is generated for the server. You must make a note
of this application ID so that you can use DCM to specify which certificate
this application will use for SSL.
Do not end and restart the server until
you use DCM to assign a certificate to the server. If you end and restart
the *ADMIN instance of the Web server before assigning a certificate to it,
the server will not start and you will not be able to use DCM to assign a
certificate to the server.
To use DCM to create and operate
a local CA, follow these steps:
- Start DCM. Refer to Starting
DCM.
- In the navigation frame of DCM, select Create a Certificate Authority
(CA) to display a series of forms. These forms guide you through the process
of creating a local CA and completing other tasks needed to begin using digital
certificates for SSL, object signing, and signature verification.
Note: If
you have questions about how to complete a specific form in this guided task,
select the question mark (?) button at the top of the page to access the online
help.
- Complete all the forms for this guided task. In using these forms
to perform all the tasks that you need to set up a working local Certificate
Authority (CA), you:
- Choose how to store the private key for the local CA certificate.
(This step is provided only if you have an IBM Cryptographic Coprocessor installed
on your system. If your system does not have a cryptographic coprocessor,
DCM automatically stores the certificate and its private key in the local
Certificate Authority (CA) certificate store.)
- Provide identifying information for the local CA.
- Install the local CA certificate on your PC or in your browser
so that your software can recognize the local CA and validate certificates
that the CA issues.
- Choose the policy data for your local CA.
- Use the new local CA to issue a server or client certificate
that your applications can use for SSL connections. (If your system has an IBM Cryptographic
Coprocessor installed, this step allows you to select how to store the private
key for the server or client certificate. If your system does not have a coprocessor,
DCM automatically places the certificate and its private key in the *SYSTEM
certificate store. DCM creates the *SYSTEM certificate store as part of this
subtask.)
- Select the applications that can use the server or client certificate
for SSL connections.
Note: If you used DCM previously to create
the *SYSTEM certificate store to manage certificates for SSL from a public
Internet CA, you do not perform this or the previous step.
- Use the new local CA to issue an object signing certificate
that applications can use to digitally sign objects. This subtask creates
the *OBJECTSIGNING certificate store; this is the certificate store that you
use to manage object signing certificates.
- Select the applications that can use the object signing certificate
to place digital signatures on objects.
Note: If you used DCM previously
to create the *OBJECTSIGNING certificate store to manage object signing certificates
from a public Internet CA, you do not perform this or the previous step.
- Select the applications that will trust your local CA.
When you finish the guided task, you have everything that you
need to begin configuring your applications to use SSL for secure communications.
After
you configure your applications, users that access the applications through
an SSL connection must use DCM to obtain a copy of the local CA certificate.
Each user must have a copy of the certificate so that the user's client software
can use it to authenticate the identity of the server as part of the SSL negotiation
process. Users can use DCM either to copy the local CA certificate to a file
or to download the certificate into their browser. How the users store the
local CA certificate depends on the client software that they use to establish
an SSL connection to an application .
Also, you can use
this local CA to issue certificates to applications on other System i® models
in your network.
To learn more about using DCM to manage user certificates
and how users can obtain a copy of the local CA certificate to authenticate
certificates the local CA issues, review these topics: