The digital certificate management APIs enable X.509 type certificates to be
associated with a user profile.The APIs add, remove, list, and find certificates that are associated with
user profiles.
This section also includes APIs for registering applications that use
certificates. Applications that need to use certificates will make themselves
known by registering themselves. As part of that registration, applications
will identify an exit program that is to be called:
whenever a certificate is assigned to the application or if the certificate
assignment changes.
whenever a Certificate Authority (CA) is added to or removed from the trust
list for the application.
whenever the information about the application is being changed.
whenever the application is being deregistered.
The application is, therefore, not responsible for providing a user interface
for certificate management. When the application starts, it can retrieve the
name and location of the certificate assigned to the application and use it for
initiating a Secure Sockets Layer (SSL) session or some other operation that
requires a certificate.
The digital certificate management APIs are:
Add User Certificate (QSYADDUC, QsyAddUserCertificate) associates a certificate with an IBM i user profile.
Deregister Application for Certificate Use (QSYDRGAP, QsyDeregisterAppForCertUse) removes an application and all associated certificate information from the registration facility.
Export Certificate Store (QYKMEXPK, QykmExportKeyStore)) exports a certificate store to a PKCS 12 version 3 standard file.
Find Certificate User (QSYFNDCU, QsyFindCertificateUser) finds the user that is associated with a certificate.
Generate and Sign User Certificate Request (QYCUGSUC) generates a user certificate request and then signs the certificate request using the local Certificate Authority (CA).
Get Default Key Item (QYKMGDKI, QykmGetDefaultKeyItem) Allows you to retrieve the label of the default certificate in a certificate store.
Import Certificate Store (QYKMIMPK, QykmImportKeyStore)) imports a certificate store from a PKCS 12 version 3 standard file.
List User Certificates (QSYLSTUC, QsyListUserCertificates) lists the certificates in the user profile.
Sign User Certificate Request (QYCUSUC) signs a user certificate request using the local Certificate Authority (CA).
Note: All of these APIs, except Register and Deregister Application for Certificate Use,
require that Digital Certificate Manager, option 34 of the IBM® i licensed program (5761-SS1), be installed.