Configuring z/OS PKI Services as a CA
The following table contains a task roadmap to lead you through the subtasks and associated procedures to configure your z/OS® PKI Services system as a CA. Where needed, some notes are included to provide reminders about additional activities that are not described in this document. (For background information about the subtasks and reasons they are required, see Task overview.)
The following procedures are provided in this topic:
| Subtask | Associated instructions (see …) | Notes |
|---|---|---|
| If you have not already done so, install and configure PKI Services as a self-signed certificate authority (CA). | Follow the instructions in Planning, Configuring your system for PKI Services, and Customizing PKI Services. | Remember to store your PKI Services CA signing key in Integrated Cryptographic Service Facility (ICSF). |
| Establish PKI Services as an intermediate certificate authority under the IdenTrust root. | Follow the instructions in Establishing PKI Services as an intermediate CA and inAdministering security for PKI Services. | Send your certificate request to IdenTrust for signing. To do this, follow the IdenTrust instructions in IT-PKI to request a certificate for a "Participant CA Key Signing and CRL Signing Certificate Profile". |
| Modify the PKI Services configuration file (pkiserv.conf). | Steps to modify pkiserv.conf for different certificate types | Make sure your certificate policies are in accordance with IT-PKI. |
| Steps to modify pkiserv.conf general settings | Make sure your changes are in accordance with IT-PKI. | |
| Create IdenTrust specific certificate templates in the PKI Services certificate templates file (pkiserv.tmpl). | Steps to create IdenTrust specific certificate templates | Make sure your certificate templates are in accordance with IT-PKI. |
| Stop and restart PKI Services to activate your changes. | Follow the instructions in Starting and stopping PKI Services. |