Resolving The Problem
This is a short document to describe the steps required to create the Local Certificate Authority (CA) store in Digital Certificate Manager (DCM). If you are having trouble getting to the DCM page, you should try using your IBM i system name or IP address and typing it into the URL below:
http://<IBM i name or IP address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
https://<IBM i name or IP address>:2010/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
- Step 1
On the left menu, click on the Create a Certificate Authority (CA) link:
- Step 2
On the next screen, you will need to fill out the information form for the Local Certificate Authority (CA) and click Continue. This Local CA will be used to digitally sign local SSL certificates:
Note: You will need to fill out all the required fields in the form. You may also want to change the Key Size and the Validity Period of Certificate Authority (CA):
Key Size: This determines the length of the encryption key (choose between 512, 768, 1024, 2048, and 4096). The default is 1024, but this may not be considered a large enough key size for some security compliance. In this case, you may want to use 2048 or 4096.
Validity period of Certificate Authority (CA): This is the number of days that the CA certificate will be valid for, once this limit is reached the certificate expires and will need to be renewed ( 7300 days is the maximum value for this parameter)
- Step 3
On the next screen, you should see something similar to the following:
This screen allows you to install the newly created Local CA into your PC browser. Typically, you can skip this step and click Continue.
- Step 4
The next screen allows you to set the Policy Data for the Local CA. This policy determines how long server or client SSL certificates that are signed by the Local CA certificate will last :
Choose whether or not you would like the CA to be able to create user certificates. Also, you may want to change the Validity Period of the certificates that are issued by this Certificate Authority (CA). This will default to 365 days. You can set this to 2000 days to make it last longer. This will determine how often the server/client certificates created by the CA will last. Once finished making selections, you should click Continue.
- Step 5
You will select the applications that will trust the newly created Local CA:
Click the Select All button, and this will place check boxes next to all the application IDs. Then click Continue down at the bottom of the screen. You should receive a green confirmation box stating the following:
Message The applications you selected will trust this Certificate Authority (CA)
You have now successfully created the Local CA and Local CA store.
18 December 2019