Digital Certificate Manager (DCM) APIs added to automate the management of certificates without using the DCM browser-based user interface. An application written using these APIs can renew a certificate residing in the system certificate store, update an application definition to use the renewed certificate, and update the trust list with the CA that issued the renewed certificate.
These three APIs provide Application Definition certificate assignment capabilities. An Application Definition, also known as Application ID, is created and maintained in DCM for use by System TLS based applications.
- Remove a certificate assignment from an application (QycdRemoveCertUsage).
- Add a certificate assignment to an application (QycdUpdateCertUsage).
- Retrieve information about the certificate currently assigned to an application (QycdRetrieveCertUsageInfo).
These three APIs provide Certificate Authority (CA) Trust List configuration capabilities. A CA Trust List is an optional configuration for Application Definitions. The list allows individual applications to trust a different set of CAs from other applications.
- Add a CA certificate to the CA certificate trust list (QycdAddCACertTrust).
- Remove a CA certificate from the CA certificate trust list (QycdRemoveCACertTrust).
- Check if CA certificate is in the CA certificate trust list (QycdCheckCACertTrust).
This API is used in a two-step process to renew an existing certificate residing in the system certificate store.
- Request a certificate renewal and import certificate into system store (QycdRenewCertificate).
With the first call, a CSR (Certificate Signing Request) is generated based on an existing certificate. After out of band processing of the CSR is complete, the second call imports the issued certificate into the system certificate store.
Refer to the IBM i Knowledge Center documentation for Digital Certificate Management APIs for additional information.
09 January 2020