Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
gsk_create_signed_certificate_record() z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
Creates a signed certificate.
Format
Parameters
ResultsThe function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
UsageThe gsk_create_signed_certificate_record() routine will generate an X.509 certificate as described in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. The new certificate will be signed using the certificate specified by the label parameter and the signature algorithm specified by the signature_algorithm parameter. If the certificate request contains an ECC key, the signing certificate cannot contain a DSA key. The following signature algorithms
are supported:
When executing in FIPS mode, signature algorithms x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are not supported. If not in FIPS mode, an RSA key size must be between 512 and 4096 bits. A DSA key size must be between 512 and 2048 bits. A key size of 1024 or less should specify signature algorithm x509_alg_dsaWithSha1, and a key size of 2048 bits should specify either x509_alg_dsaWithSha224 or x509_alg_dsaWithSha256 as the signature algorithm. In FIPS mode, an RSA key size must be between 1024 and 4096 bits. A DSA key size must be either 1024 bits or 2048 bits. A key size of 1024 bits should specify signature algorithm x509_alg_dsaWithSha1, and a key size of 2048 bits should specify either x509_alg_dsaWithSha224 or x509_alg_dsaWithSha256 as the signature algorithm. An ECC key must use a NIST recommended EC named curve. A certification authority
certificate will have basic constraints and key usage extensions which
allow the certificate to be used to sign other certificates and certificate
revocation lists. An end user certificate will have basic constraints
and key usage extensions which allow the certificate to be used as
follows:
The certificate expiration date will be set to the earlier of the requested expiration date and the expiration date of the signing certificate. The signing certificate must have an associated private key, the BasicConstraints extension must either be omitted or must have the CA indicator set, and the KeyUsage extension must either be omitted or must allow signing certificates. A CA certificate will have SubjectKeyIdentifier, KeyUsage, and BasicConstraints extensions while an end user certificate will have SubjectKeyIdentifier and KeyUsage extensions. An AuthorityKeyIdentifier extension will be created if the signing certificate has a SubjectKeyIdentifier extension. The application can supply additional extensions through the extensions parameter. An AuthorityKeyIdentifier, KeyUsage, or BasicConstraints extension provided by the application will replace the default extension created for the certificate, however a SubjectKeyIdentifier extension provided by the application will be ignored. Certificate
extensions can also be contained within the certification request.
A certificate extension supplied by the application will override
a certificate extension of the same type contained in the certification
request. The certificate extensions found in the certification request
will be copied unmodified to the new certificate with these exceptions:
No certification path validation is performed by the gsk_create_signed_certificate_record() routine. An error will be returned if the requested subject name is the same as the subject name in the signing certificate. |
Copyright IBM Corporation 1990, 2014
|