Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Creating a signed ECC certificate and key z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
If ECC is selected as the certificate key algorithm in the Certificate Key Algorithm menu, you are prompted to choose the ECC key type (for user or server certificates only) to be set in the new certificate and the EC named curve to be used when generating the ECC key. Supported EC named curves are outlined in Elliptic Curve Cryptography support. The following example creates an end-entity certificate with an ECDSA key using a 256-bit NIST suggested named curve. Figure 1. Selecting the ECC Key Type
The selected key type determines the setting of the keyUsage extension in the new certificate. A general ECC key allows Digital Signature, Non-repudiation and Key Agreement. An ECDSA key allows Digital Signature and Non-repudiation. An ECDH key allows Key Agreement only. If option 1 is selected in the Certificate Usage menu, requesting a CA certificate, the ECC Key Type menu does not appear. The keyUsage extension of the new certificate is set to allow the certificate to be used to sign certificates and certificate revocation lists. Once the key type has been selected, you are prompted to select the ECC curve type. For a FIPS database, Brainpool standard curves are not supported and, for this reason, the ECC Curve Type menu may not appear. Figure 2. Selecting the ECC Curve Type
For a FIPS database, some curves may not be recommended for use and may not appear in the ECC Curve Type menu. After selecting the curve type you are prompted to enter the certificate label, subject name, expiration and (optionally) subject alternate names. See Creating a signed certificate and key for more information. |
Copyright IBM Corporation 1990, 2014
|