Obtaining certificates for client authentication

Certificates can be obtained from one of the following:

A certificate management tool is provided that creates certificate requests and self-signed certificates, and stores certificates in a client key database. Certificate requests can be made on the Host On-Demand server or locally-installed clients.

Using a browser certificate

Users who currently have a certificate for their browsers can use it directly, or they can export the certificate into a PKCS12 (.p12 or .pfx file type) file format and save it on their workstations to be used for client authentication. Optionally, the certificate can be stored on specialized external media, such as a smart card.

Certificates exported from an older browser are usually weakly encrypted. Use strong encryption when accessing certificates over the Internet with an unsecure protocol, such as http or ftp. To change the encryption strength:

  1. Click Communication > Security.
  2. Click Show Client Certificate.
  3. Locate the certificate and enter the current password.
  4. Click View Certificate.
  5. Click Settings.
  6. Type the current password, and choose Strong for Encryption Strength.
  7. Click OK.

Creating a client certificate request

Some CAs have Web pages that you can access for requesting certificates. That is the easiest way to obtain a client certificate.

To create a request in Certificate Management:

  1. On a Windows server, click Start > Programs > IBM Host On-Demand > Administration > Certificate Management.
  2. On an AIX server, enter CertificateManagement from a command prompt. The default location of the AIX script is /usr/opt/hostondemand/bin. Please refer to Running Certificate Management on AIX for additional information.
  3. Create a HODClientKeyDb.kdb database.
  4. Follow the instructions in the Help to create the certificate request.
  5. Exit Certificate Management.
  6. Send the certificate request to the CA.

Sending the certificate request to the CA

Access the CA's Web site and then follow the instructions to request the certificate. Here are the URLs of two CAs:

Depending on the CA you choose, you can either e-mail the certificate request or incorporate the request into the form or file provided by the CA. If you need the CA's root certificate, you can often get it directly from the Web site.

While you are waiting for the CA to process your certificate request, you can create a self-signed certificate to use.

Receiving the certificate

When you receive the certificate, make sure that it is in armored-64 or binary DER format. Only certificates in these formats can be stored in the key database. The Certificate Management program can only accept simple certificates. It cannot accept certificate chains or PKCS7 data. The armored-64 form of a simple certificate starts with "----BEGIN CERTIFICATE----" and ends with "----END CERTIFICATE----".

To receive the certificate:

  1. Click Start > Programs > IBM Host On-Demand > Administration > Certificate Management.
  2. Add the certificate to the key database, HODClientKeyDb.kdb.
  3. Export the certificate into a password-protected PKCS12 (.p12 file type) file. Send the certificate and password to the user.

Make sure the certificate is securely sent. If a non-secure protocol such as e-mail, http or ftp is used to send the file over the Internet, the certificate's security can be compromised.

A certificate can be stored anywhere on the client's computer, on a diskette, or on a Web server.

Related topics