Steps for requesting a new certificate

To request a new certificate, first go to the PKI Services home page. (See Figure 1.)

Perform the following steps to request a new certificate:

Click the down arrow to the right of the field beside Request a new certificate using a model. This displays a list of certificate templates from which you can select.
For SCEP preregistration: Do not follow these steps to request a SCEP (preregistration) certificate template. Instead, go to Steps for preregistering an SCEP client.
The following list shows the certificate templates that PKI Services provides by default. This list might differ from the certificate templates your installation provides because your installation can customize the certificate templates and Web pages.
- One-year SAF server certificate
- One-year SAF browser certificate
- One-year PKI SSL browser certificate (See Figure 1 to see a sample of this Web page.)
- One-year PKI SSL S/MIME browser certificate
- One-year PKI generated key certificate
- Two-year PKI browser certificate for authenticating to z/OS
- Two-year PKI Authenticode - code signing server certificate
- Two-year PKI Windows logon certificate
- Five-year PKI SSL server certificate
- n-year PKI browser certificate for extensions demonstration
- Five-year SCEP certificate - Preregistration
- Five-year PKI IPSEC server (firewall) certificate
- Five-year PKI intermediate CA server certificate
_______________________________________________________________
Click one of the items in the list. The drop-down list then collapses so that only the certificate you selected appears in the field and is highlighted.
_______________________________________________________________
Click Request certificate. A form where you fill in information is displayed.
Note: You might need to click through some additional panels specific to your browser (for example, clicking Next on a Mozilla-based browser or answering Do you want to proceed? on Internet Explorer) before the certificate request form appears.

_______________________________________________________________
Fill in the necessary information in the certificate request form.
The form that appears depends on the certificate you are requesting and, in some instances, the fields that appear on the form depend on the browser you are using. Example: If you request a one-year SSL browser certificate, the form shown in Figure 1 appears.

Figure 1. One-year SSL browser certificate request form

Note: In the case of the one-year SSL browser certificate, fill in your common name. (See Table 1 for descriptions of fields.) If you are using a Mozilla-based browser, select a key size from a drop-down list. Alternately, if you are using Internet Explorer, click the drop-down lists to select your cryptographic service provider and to specify whether to use strong private key protection.

_______________________________________________________________
If you are requesting a server or device certificate, you need to supply a base64-encoded PKCS #10 certificate request. Use software specific to that server to generate the PKCS #10 request before going to the PKI Web site. Paste the request into the Web page as shown in Figure 2.
For example, you could use the RACDCERT command to generate the PKCS #10 request. Assume that the server has the distinguished name OU=Inventory,O=XYZZY,C=US and a domain name xyzzy.com. This server runs on z/OS® with the user ID INVSERV. First, generate a self-signed certificate for the server and assign the label "Inventory Server" to the certificate. The certificate is associated with the user ID that is associated with the server (INVSERV).
```
RACDCERT ID(INVSERV)
         GENCERT
         SUBJECTSDN(CN(’xyzzy.com’)
                    OU(’Inventory’)
                    O(’XYZZY’)
                    C(’US’))
         WITHLABEL(’Inventory Server’)
```
Next, generate a PKCS #10 Base64-encoded certificate request based on the certificate you just created, and write the request to a data set.
```
RACDCERT ID(INVSERV)
         GENREQ(LABEL(’Inventory Server’))
         DSN(’WAIC.INVSERV.GENREQ’)
```
Copy the PKCS #10 request from the data set WAIC.INVSERV.GENREQ and paste it into the field Base64 encoded PKCS#10 certificate request.
Figure 2. Supplying the PKCS #10 certificate request for a server or device certificate

For server certificates where a base64-encoded PKCS #10 certificate request is supplied, specify one or more of the fields related to the subject's distinguished name only if you wish to change the distinguished name supplied in the PKCS #10 certificate request. If you change one of these fields, the subject's distinguished name specified in the PKCS #10 certificate request is ignored and you must respecify the entire distinguished name (all fields). For a list of the fields related to the subject's distinguished name, see Table 1.

_______________________________________________________________
Fill in the passphrase on the certificate request form (twice). This is a value known only to you. Pick a value that you can easily remember because you will be challenged to supply the same passphrase when you pick up your certificate. Do not use a sensitive value such as your ATM pin or login password.
_______________________________________________________________
Fill in any optional information as desired. When you are satisfied with the information you have entered, click Submit certificate request. If the request is successful, the results depend on the type of certificate you requested.
- For all certificate types except one-year PKI generated key certificates, you see a page like the one shown in Figure 3, which tells you your transaction ID.
  Figure 3. Successful request displays transaction ID
  1. Make a note of the transaction ID. (You can copy and paste the transaction ID to a file so that you have it for future reference, or you can write it in the box below. The reason for keeping a record of the transaction ID is that, depending on how you go to the Web page to retrieve your certificate (see Figure 4), you might have to fill in the transaction ID on that Web page.)
```
Transaction ID:
```
  2. Click Continue. This displays the following Web page:
    Figure 4. Web page to retrieve your certificate
  3. Bookmark this Web page.
    Note:
    1. After you submit the request for a certificate, your PKI Services administrator might need to approve the request before you can pick up your certificate. The amount of time that this takes can vary from a few minutes to a few days, depending on your installation. You bookmark this Web page so that you can return to it at a later time.
    2. If your installation has enabled e-mail notification and you supplied a valid e-mail address when submitting your certificate request, then you will receive an e-mail message when your certificate is ready for pick-up or if PKI Services rejects your certificate request.
  4. From this Web page, you can start the steps to retrieve your certificate (see Steps for retrieving a certificate from a bookmarked Web page) or you can return to the PKI Services home page (by clicking Home).
- For a one-year PKI generated key certificate, you see a page like the one shown in Figure 5
  Figure 5. Successful request for a one-year PKI generated key certificate
  
  Unlike other types of certificates, this page does not show you the transaction ID for your certificate. Instead, PKI Services sends an e-mail to the address you specified in the request. The e-mail contains a link to the certificate.
_______________________________________________________________