You can use Digital Certificate Manager (DCM) to manage
public Internet certificates for your applications to use for establishing
secure communications sessions with the Secure Sockets Layer (SSL).
If you do not use DCM to operate your own local Certificate Authority
(CA), you must first create the appropriate certificate store for
managing the public certificates that you use for SSL. This is the
*SYSTEM certificate store. When you create a certificate store, DCM
takes you through the process of creating the certificate request
information that you must provide to the public CA to obtain a certificate.
To
use DCM to manage and use public Internet certificates so that your
applications can establish SSL communications sessions, follow these
steps:
- Start DCM. Refer to Starting DCM.
- In the navigation frame of DCM, select Create
New Certificate Store to start the guided task and complete a series of
forms. These forms guide you through the process of creating a certificate
store and a certificate that your applications can use for SSL sessions.
Note: If you have questions about how to complete a specific
form in this guided task, select the question mark (?)
at the top of the page to access the online help.
- Select *SYSTEM as the certificate
store to create and click Continue.
- Select Yes to create a certificate
as part of creating the *SYSTEM certificate store and click Continue.
- Select VeriSign or other Internet Certificate
Authority (CA) as the signer of the new certificate, and
click Continue to display a form that allows you
to provide identifying information for the new certificate.
Note: If
your system has an IBM® Cryptographic Coprocessor installed
and varied on, DCM allows you to select how to store the private key
for the certificate as the next task. If your system does not have
a coprocessor, DCM automatically places the private key in the *SYSTEM
certificate store. If you need help with selecting how to store the
private key, see the online help in DCM.
- Complete the form and click Continue to display
a confirmation page. This confirmation page displays the certificate
request data that you must provide to the public Certificate Authority
(CA) that will issue your certificate. The Certificate Signing Request
(CSR) data consists of the public key and other information that you
specified for the new certificate.
- Carefully copy and paste the CSR data into the certificate
application form, or into a separate file, that the public CA requires
for requesting a certificate. You must use all the CSR data, including
both the Begin and End New Certificate Request lines. When you exit this page,
the data is lost and you cannot recover it. Send the application form
or file to the CA that you have chosen to issue and sign your certificate.
Note: You must wait for the CA to return the signed, completed
certificate before you can finish this procedure.
To use
certificates with the HTTP Server for your system, you must create
and configure your Web server before working with DCM to work with
the signed completed certificate. When you configure a Web server
to use SSL, an application ID is generated for the server. You must
make a note of this application ID so that you can use DCM to specify
which certificate this application must use for SSL.
Do not
end and restart the server until you use DCM to assign the signed completed
certificate to the server. If you end and restart the *ADMIN instance
of the Web server before assigning a certificate to it, the server will
not start and you will not be able to use DCM to assign a certificate
to the server.
- After the public CA returns your signed certificate, start
DCM.
- In the navigation frame, click Select a Certificate
Store and select *SYSTEM as the
certificate store to open.
- When the Certificate Store and Password page displays,
provide the password that you specified for the certificate store
when you created it and click Continue.
- After the navigation frame refreshes, select Manage
Certificates to display a list of tasks.
- From the task list, select Import certificate to
begin the process of importing the signed certificate into the *SYSTEM
certificate store. After you finish importing the certificate, you
can specify the applications that must use it for SSL communications.
- In the navigation frame, select Manage Applications to display
a list of tasks.
- From the task list, select Update certificate
assignment to display a list of SSL-enabled applications
for which you can assign a certificate.
- Select an application from the list and click Update
Certificate Assignment.
- Select the certificate that you imported and click Assign
New Certificate. DCM displays a message to confirm your
certificate selection for the application.
Note: Some SSL-enabled
applications support client authentication based on certificates. If
you want an application with this support to more narrowly define
the CA certificates that it trusts from the list of enabled CA certificates
in the *SYSTEM certificate store, you must
define a CA trust
list for the application and select CAs from the *SYSTEM store
to trust. This trust list ensures that the application can validate
only those certificates from CAs that you specify as trusted. If a
user or a client application presents a certificate from a CA that
is not specified as trusted in the CA trust list, the application
does not accept it as a basis for valid authentication. If a CA trust
list is not defined, all enabled CA certificates in the *SYSTEM certificate
store are trusted.
When you finish the guided task, you have everything that
you need to begin configuring your applications to use SSL for secure
communications. Before users can access these applications through
an SSL session, they must have a copy of the CA certificate for the
CA that issued the server certificate. If your certificate is from
a well-known Internet CA, your users' client software may already
have a copy of the necessary CA certificate. If users need to obtain
the CA certificate, they must access the Web site for the CA and follow
the directions the site provides.