Obtaining personal certificates from a certificate authority

You can obtain a certificate from a trusted external certificate authority (CA).

You obtain a digital certificate by sending information to a CA, in the form of a certificate request. The X.509 standard defines a format for this information, but some CAs have their own format. Certificate requests are typically generated by the certificate management tool your system uses, for example the iKeyman tool on UNIX, Linux®, and Windows systems and RACF® on z/OS®. The information contains your Distinguished Name and your public key. When your certificate management tool generates your certificate request, it also generates your private key, which you must keep secure. Never distribute your private key.

When the CA receives your request, the authority verifies your identity before building the certificate and returning it to you as a personal certificate.

Figure 1 illustrates the process of obtaining a digital certificate from a CA.

Figure 1. Obtaining a digital certificate
This diagram shows the process of requesting a digital certificate from a certificate authority (CA). You send your public key to the CA, which confirms your identity then builds and returns your signer certificate.
In the diagram:
  • "User identification" includes your Subject Distinguished Name.
  • "Certification Authority identification" includes the Distinguished Name of the CA that is issuing the certificate.
Digital certificates contain additional fields other than those shown in the diagram. For more information about the other fields in a digital certificate, see What is in a digital certificate.