Using APIs to programmatically issue certificates to users other than IBM i users

The Generate and Sign User Certificate Request (QYCUGSUC) API and the Sign User Certificate Request (QYCUSUC) API allow you to programmatically issue certificates to users other than IBM i users. Having the certificate associated with a IBM i user profile has its advantages, especially when internal users are concerned. However, these restrictions and requirements made it less practical to use the local CA to issue user certificates for a large number of users, especially when you do not want those users to have a IBM i user profile. To avoid providing user profiles to these users, you might require users to pay for a certificate from a well-known CA if you wanted to require certificates for user authentication for your applications.

These two APIs provide support that allows you to provide an interface for creating user certificates signed by the local CA certificate for any user name. This certificate will not be associated with a user profile. The user does not need to exist on the system that hosts DCM and the user does not need to use DCM to create the certificate.

There are two APIs, one for each of the predominate browser programs, that you can call when using Net.Data® to create a program for issuing certificates to users. The application that you create must provide the Graphical User Interface (GUI) code needed to create the user certificate and to call one of the appropriate API to use the local CA to sign the certificate.