IBM Support

How to Create the Local Certificate Authority (CA) Store in DCM

Troubleshooting


Problem

This document describes the process to create the Local Certificate Authority (CA) store in Digital Certificate Manager (DCM).

Resolving The Problem

This document describes the process to create the Local Certificate Authority (CA) store in Digital Certificate Manager (DCM).

This is a short document to describe the steps required to create the Local Certificate Authority (CA) store in Digital Certificate Manager (DCM). If you are having trouble getting to the DCM page, you should try using your IBM i system name or IP address and typing it into the URL below:

http://<IBM i name or IP address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

or

https://<IBM i name or IP address>:2010/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
  • Step 1



    On the left menu, click on the Create a Certificate Authority (CA) link:

    Picture of 'Create a Certificate Authority (CA)' link in DCM

  •  
  • Step 2



    On the next screen, you will need to fill out the information form for the Local Certificate Authority (CA) and click Continue. This Local CA will be used to digitally sign local SSL certificates:

    Picture of 'Create a Certificate Authority (CA)' form

    Note: You will need to fill out all the required fields in the form. You may also want to change the Key Size and the Validity Period of Certificate Authority (CA):

    Key Size: This determines the length of the encryption key (choose between 512, 768, 1024, 2048, and 4096). The default is 1024, but this may not be considered a large enough key size for some security compliance. In this case, you may want to use 2048 or 4096.

    Validity period of Certificate Authority (CA): This is the number of days that the CA certificate will be valid for, once this limit is reached the certificate expires and will need to be renewed ( 7300 days is the maximum value for this parameter)

  •  
  • Step 3



    On the next screen, you should see something similar to the following:

    Picture of the 'Install Local CA  Certificate' screen.

    This screen allows you to install the newly created Local CA into your PC browser. Typically, you can skip this step and click Continue.

  •  
  • Step 4



    The next screen allows you to set the Policy Data for the Local CA. This policy determines how long server or client SSL certificates that are signed by the Local CA certificate will last :

    Picture of 'Certificate Authority Policy Data' screen

    Choose whether or not you would like the CA to be able to create user certificates. Also, you may want to change the Validity Period of the certificates that are issued by this Certificate Authority (CA). This will default to 365 days. You can set this to 2000 days to make it last longer. This will determine how often the server/client certificates created by the CA will last. Once finished making selections, you should click Continue.

  •  
  • Step 5



    You will select the applications that will trust the newly created Local CA:

    Picture of ' Select applications to trust CA'

    Click the Select All button, and this will place check boxes next to all the application IDs. Then click Continue down at the bottom of the screen. You should receive a green confirmation box stating the following:

     
    Message The applications you selected will trust this Certificate Authority (CA)

    You have now successfully created the Local CA and Local CA store.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V7R3;V7R2:V7R1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Historical Number

677938735

Document Information

Modified date:
18 December 2019

UID

nas8N1010311