Managing public Internet certificates for SSL communications sessions

You can use Digital Certificate Manager (DCM) to manage public Internet certificates for your applications to use for establishing secure communications sessions with the Secure Sockets Layer (SSL).

1. Start DCM. Refer to Starting DCM.
2. In the navigation frame of DCM, select Create New Certificate Store to start the guided task and complete a series of forms. These forms guide you through the process of creating a certificate store and a certificate that your applications can use for SSL sessions.
   Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
3. Select *SYSTEM as the certificate store to create and click Continue.
4. Select Yes to create a certificate as part of creating the *SYSTEM certificate store and click Continue.
5. Select VeriSign or other Internet Certificate Authority (CA) as the signer of the new certificate, and click Continue to display a form that allows you to provide identifying information for the new certificate.
   Note: If your system has an IBM® Cryptographic Coprocessor installed and varied on, DCM allows you to select how to store the private key for the certificate as the next task. If your system does not have a coprocessor, DCM automatically places the private key in the *SYSTEM certificate store. If you need help with selecting how to store the private key, see the online help in DCM.
6. Complete the form and click Continue to display a confirmation page. This confirmation page displays the certificate request data that you must provide to the public Certificate Authority (CA) that will issue your certificate. The Certificate Signing Request (CSR) data consists of the public key and other information that you specified for the new certificate.
7. Carefully copy and paste the CSR data into the certificate application form, or into a separate file, that the public CA requires for requesting a certificate. You must use all the CSR data, including both the Begin and End New Certificate Request lines. When you exit this page, the data is lost and you cannot recover it. Send the application form or file to the CA that you have chosen to issue and sign your certificate.
   Note: You must wait for the CA to return the signed, completed certificate before you can finish this procedure.

   To use certificates with the HTTP Server for your system, you must create and configure your Web server before working with DCM to work with the signed completed certificate. When you configure a Web server to use SSL, an application ID is generated for the server. You must make a note of this application ID so that you can use DCM to specify which certificate this application must use for SSL.

   Do not end and restart the server until you use DCM to assign the signed completed certificate to the server. If you end and restart the *ADMIN instance of the Web server before assigning a certificate to it, the server will not start and you will not be able to use DCM to assign a certificate to the server.

8. After the public CA returns your signed certificate, start DCM.
9. In the navigation frame, click Select a Certificate Store and select *SYSTEM as the certificate store to open.
10. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
11. After the navigation frame refreshes, select Manage Certificates to display a list of tasks.
12. From the task list, select Import certificate to begin the process of importing the signed certificate into the *SYSTEM certificate store. After you finish importing the certificate, you can specify the applications that must use it for SSL communications.
13. In the navigation frame, select Manage Applications to display a list of tasks.
14. From the task list, select Update certificate assignment to display a list of SSL-enabled applications for which you can assign a certificate.
15. Select an application from the list and click Update Certificate Assignment.
16. Select the certificate that you imported and click Assign New Certificate. DCM displays a message to confirm your certificate selection for the application.
    Note: Some SSL-enabled applications support client authentication based on certificates. If you want an application with this support to more narrowly define the CA certificates that it trusts from the list of enabled CA certificates in the *SYSTEM certificate store, you must define a CA trust list for the application and select CAs from the *SYSTEM store to trust. This trust list ensures that the application can validate only those certificates from CAs that you specify as trusted. If a user or a client application presents a certificate from a CA that is not specified as trusted in the CA trust list, the application does not accept it as a basis for valid authentication. If a CA trust list is not defined, all enabled CA certificates in the *SYSTEM certificate store are trusted.