Setting up PKI Services to generate keys for certificate requests

There are two ways to generate the key pair (public key and private key) for a certificate request:
  • The requestor can generate the key pair and send the public key to PKI Services with the request. In this case, PKI Services has no knowledge of the private key, and cannot recover it if the requestor loses it.
  • The requestor can ask PKI Services to generate the key pair. PKI Services uses the PKCS #11 API provided by ICSF to generate the key pair and store it in the token data set (TKDS). The requestor's email address is used as the requestor name. The certificate and private key are packaged in PKCS #12 format and the requestor is sent a link from email to retrieve the package. In this case PKI Services can recover the certificate package if the requestor needs it.

Before PKI Services can generate key pairs for certificates, you must do some setup. For example, you must set the TokenName keyword in the pkiserv.conf configuration file.

Requirement: The key generation capability requires hardware that supports the PKCS #11 CKM_RSA_PKCS_KEY_PAIR_GEN mechanism. For information about which hardware supports this mechanism, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

PKI Services can generate both secure keys and clear keys. The sensitive key material of a secure key is wrapped under a master key. A clear key is not encrypted. You control whether PKI services generates secure keys or clear keys by setting the SecureKey keyword in the pkiserv.conf configuration file. You can restrict the generation of clear keys by defining a profile protecting the resource CLEARKEY.token_name in the CRYPTOZ class.

Rules:
  • The SecureKey keyword is ignored if the TokenName keyword is not specified.
  • If the SecureKey keyword is set to T, PKI Services generates secure keys. (The CKA_IBM_SECURE attribute is set to TRUE.)
  • If the SecureKey keyword is set to F or is not specified, PKI Services generates clear keys if profiles in the CRYPTOZ class that protect the CLEARKEY function allow clear key generation. If CLEARKEY profiles do not allow clear key generation, PKI services generates a secure key. For example, the following RACF® command prevents clear key generation on the token named PKISRVD.PKITOKEN:
    RDEF CRYPTOZ CLEARKEY.PKISRVD.PKITOKEN UACC(NONE)
Parent topic: Advanced customization