Steps for requesting a new certificate
To request a new certificate, first go to the PKI Services home page. (See Figure 1.)
- Click the down arrow to the right of the field beside Request a new certificate using a model. This displays a
list of certificate templates from which you can select.
For SCEP preregistration: Do not follow these steps to request a SCEP (preregistration) certificate template. Instead, go to Steps for preregistering an SCEP client.
The following list shows the certificate templates that PKI Services provides by default. This list might differ from the certificate templates your installation provides because your installation can customize the certificate templates and web pages.- One-year SAF server certificate
- One-year SAF browser certificate
- One-year PKI SSL browser certificate (See Figure 1 to see a sample of this web page.)
- One-year PKI SSL S/MIME browser certificate
- One-year PKI generated key certificate
- Two-year PKI browser certificate for authenticating to z/OS®
- Two-year PKI Authenticode - code signing server certificate
- Two-year PKI Windows logon certificate
Two-year EV SSL server certificate
- Five-year PKI SSL server certificate
- n-year PKI browser certificate for extensions demonstration
- Five-year SCEP certificate - Preregistration
- Five-year PKI IPSEC server (firewall) certificate
- Five-year PKI intermediate CA server certificate
_______________________________________________________________
- Click one of the items in the list. The drop-down list then collapses
so that only the certificate you selected appears in the field and
is highlighted.
_______________________________________________________________
- Click Request certificate. A form where you fill in information
is displayed. Note: You might need to click through some additional panels specific to your browser (for example, clicking Next on a Mozilla-based browser or answering Do you want to proceed? on Internet Explorer) before the certificate request form appears.
_______________________________________________________________
- Fill in the necessary information in the certificate request form.
The form that appears depends on the certificate you are requesting and, in some instances, the fields that appear on the form depend on the browser you are using. Example: If you request a one-year SSL browser certificate, the form shown in Figure 1 appears.
Figure 1. One-year SSL browser certificate request form
Note: In the case of the one-year SSL browser certificate, fill in your common name. (See Table 1 for descriptions of fields.) If you are using a Mozilla-based browser, select a key size from a drop-down list. Alternately, if you are using Internet Explorer, click the drop-down lists to select your cryptographic service provider and to specify whether to use strong private key protection._______________________________________________________________
- If you are requesting a server or device certificate, you need
to supply a base64-encoded PKCS #10 certificate request. Use software
specific to that server to generate the PKCS #10 request before going
to the PKI website. Paste the request into the web page as shown in Figure 2.For example, you could use the RACDCERT command to generate the PKCS #10 request. Assume that the server has the distinguished name OU=Inventory,O=XYZZY,C=US and a domain name xyzzy.com. This server runs on z/OS with the user ID INVSERV. First, generate a self-signed certificate for the server and assign the label "Inventory Server" to the certificate. The certificate is associated with the user ID that is associated with the server (INVSERV).
Next, generate a PKCS #10 Base64-encoded certificate request based on the certificate you just created, and write the request to a data set.RACDCERT ID(INVSERV) GENCERT SUBJECTSDN(CN(’xyzzy.com’) OU(’Inventory’) O(’XYZZY’) C(’US’)) WITHLABEL(’Inventory Server’)
Copy the PKCS #10 request from the data set WAIC.INVSERV.GENREQ and paste it into the field Base64 encoded PKCS#10 certificate request.RACDCERT ID(INVSERV) GENREQ(LABEL(’Inventory Server’)) DSN(’WAIC.INVSERV.GENREQ’)Figure 2. Supplying the PKCS #10 certificate request for a server or device certificate
For server certificates where a base64-encoded PKCS #10 certificate request is supplied, specify one or more of the fields related to the subject's distinguished name only if you want to change the distinguished name supplied in the PKCS #10 certificate request. If you change one of these fields, the subject's distinguished name specified in the PKCS #10 certificate request is ignored and you must respecify the entire distinguished name (all fields). For a list of the fields related to the subject's distinguished name, see Table 1.
_______________________________________________________________
- Fill in the passphrase on the certificate request form (twice). This
is a value known only to you. Pick a value that you can easily remember
because you need to supply the same passphrase when you pick up your
certificate. Do not use a sensitive value such as your ATM pin or
login password.
_______________________________________________________________
- Fill in any optional information you want. When you are satisfied
with the information you have entered, click Submit certificate
request. If the request is successful, the results depend on the
type of certificate you requested.
- For all certificate types except one-year PKI generated key certificates,
you see a page like the one shown in Figure 3, which tells you your transaction ID.Figure 3. Successful request displays transaction ID
- Make a note of the transaction ID. (You can copy and paste the
transaction ID to a file so that you have it for future reference,
or you can write it in the box below. The reason for keeping a record
of the transaction ID is that, depending on how you go to the web
page to retrieve your certificate (see Figure 4), you might have to fill in the transaction ID on that web page.)
Transaction ID: - Click Continue. This displays the following
web page: Figure 4. Web page to retrieve your certificate
- Bookmark this web page. Notes:
- After you submit the request for a certificate, your PKI Services administrator might need to approve the request before you can pick up your certificate. The amount of time that this takes can vary from a few minutes to a few days, depending on your installation. You bookmark this web page so that you can return to it at a later time.
- If your installation has enabled email notification and you supplied a valid email address when submitting your certificate request, then you receive an email message when your certificate is ready for pick-up or if PKI Services rejects your certificate request.
- From this web page, you can start the steps to retrieve your certificate (see Steps for retrieving a certificate from a bookmarked web page) or you can return to the PKI Services home page (by clicking Home).
- Make a note of the transaction ID. (You can copy and paste the
transaction ID to a file so that you have it for future reference,
or you can write it in the box below. The reason for keeping a record
of the transaction ID is that, depending on how you go to the web
page to retrieve your certificate (see Figure 4), you might have to fill in the transaction ID on that web page.)
- For a one-year PKI generated key certificate, you see a page like
the one shown in Figure 5Figure 5. Successful request for a one-year PKI generated key certificateUnlike other types of certificates, this page does not show you the transaction ID for your certificate. Instead, PKI Services sends an email to the address you specified in the request. The email contains a link to the certificate.
_______________________________________________________________
- For all certificate types except one-year PKI generated key certificates,
you see a page like the one shown in Figure 3, which tells you your transaction ID.