You can use Digital Certificate Manager (DCM) to create
and operate your own local CA to issue private certificates for your
applications.
DCM provides you with a guided task path that takes
you through the process of creating a CA and using it to issue certificates
to your applications. The guided task path ensures that you have everything
you need to begin using digital certificates to configure applications
to use SSL and to sign objects and verify object signatures.
Note: To
use certificates with the
IBM® HTTP
Server for i ,
you must create and configure your Web server before working with
DCM. When you configure a Web server to use SSL, an application ID
is generated for the server. You must make a note of this application
ID so that you can use DCM to specify which certificate this application will use
for SSL.
Do not end and restart the server until you use DCM to
assign a certificate to the server. If you end and restart the *ADMIN
instance of the Web server before assigning a certificate to it, the
server will not start and you will not be able to use DCM to assign
a certificate to the server.
To use DCM to create and
operate a local CA, follow these steps:
- Start DCM. Refer to Starting DCM.
- In the navigation frame of DCM, select Create a Certificate Authority
(CA) to display a series of forms. These forms guide you through the
process of creating a local CA and completing other tasks needed to
begin using digital certificates for SSL, object signing, and signature verification.
Note: If you have questions about how to complete a specific
form in this guided task, select the question mark (?) button at the
top of the page to access the online help.
- Complete all the forms for this guided task. In using these
forms to perform all the tasks that you need to set up a working local Certificate Authority
(CA), you:
- Choose how to store the private key for the local CA
certificate. (This step is provided only if you have an IBM Cryptographic Coprocessor
that is installed on your system and the device description for it
is varied on. If no cryptographic device description is varied on,
DCM automatically stores the certificate and its private key in the
local Certificate Authority (CA) certificate store.)
- Provide identifying information for the local CA.
- Install the local CA certificate on your PC or in your
browser so that your software can recognize the local CA and validate
certificates that the CA issues.
- Choose the policy data for your local CA.
- Use the new local CA to issue a server or client certificate
that your applications can use for SSL connections. (If your system
has an IBM Cryptographic Coprocessor installed and varied
on, this step allows you to select how to store the private key for
the server or client certificate. If your system does not have a coprocessor,
DCM automatically places the certificate and its private key in the
*SYSTEM certificate store. DCM creates the *SYSTEM certificate store
as part of this subtask.)
- Select the applications that can use the server or client
certificate for SSL connections.
Note: If you used DCM
previously to create the *SYSTEM certificate store to manage certificates
for SSL from a public Internet CA, you do not perform this or the
previous step.
- Use the new local CA to issue an object signing certificate
that applications can use to digitally sign objects. This subtask
creates the *OBJECTSIGNING certificate store; this is the certificate
store that you use to manage object signing certificates.
- Select the applications that can use the object signing
certificate to place digital signatures on objects.
Note: If
you used DCM previously to create the *OBJECTSIGNING certificate store
to manage object signing certificates from a public Internet CA, you
do not perform this or the previous step.
- Select the applications that will trust your local CA.
When you finish the guided task, you have everything that
you need to begin configuring your applications to use SSL for secure
communications.
After you configure your applications, users
that access the applications through an SSL connection must use DCM
to obtain a copy of the local CA certificate. Each user must have
a copy of the certificate so that the user's client software can use
it to authenticate the identity of the server as part of the SSL negotiation process.
Users can use DCM either to copy the local CA certificate to a file
or to download the certificate into their browser. How the users store
the local CA certificate depends on the client software that they
use to establish an SSL connection to an application .
Also, you can use this local CA to issue certificates
to applications on other IBM i models
in your network.
To learn more about using DCM to manage user
certificates and how users can obtain a copy of the local CA certificate
to authenticate certificates the local CA issues, review these topics: