z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Creating a certificate to be used with a fixed Diffie-Hellman key exchange

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Create a server certificate to be used during an SSL handshake using a fixed Diffie-Hellman key exchange. Fixed Diffie-Hellman requires the certificates being used by both sides of the exchange to be based off the same generation parameters. In order for each side to use the same generation parameters, a key parameter file must be created to be used as input to the certificate being signed.

To create a key parameter file, from the Database Menu, enter 6. You are asked to select the key type and key size. Only 1024-bit DSA keys, 2048-bit DSA keys, or 2048-bit fixed Diffie-Hellman keys are valid for use in a FIPS database. When the key type is determined, you are prompted to enter a key parameter file name. The file name is interpreted relative to the current directory when gskkyman is invoked. You may also specify a fully qualified file name.

Figure 1. Creating a key parameter file to be used with Diffie-Hellman
       Database Menu

   1 - Create new database
   2 - Open database
   3 - Change database password
   4 - Change database record length
   5 - Delete database
   6 - Create key parameter file
   7 - Display certificate file (Binary or Base64 ASN.1 DER)

  11 - Create new token
  12 - Delete token
  13 - Manage token
  14 - Manage token from list of tokens                              

   0 - Exit program

Enter option number: 6 <enter>


 
       Key Type

   1 - DSA key
   2 - Diffie-Hellman key

Select key type (press ENTER to return to menu: 2 <enter>

       Diffie-Hellman Key Size
                                   
   1 - 1024-bit key
   2 - 2048-bit key                                                                                                     

Select Diffie-Hellman key size (press ENTER to return to menu): 1 <enter> 
Enter key parameter file name (press ENTER to return to menu):   dh_key_1024.keyfile <enter>

Please wait ......

Key parameter file created.

Press ENTER to continue

When the key parameter file is created, the next step is to create the signed certificate by using an existing certificate in the key database file or z/OS® PKCS #11 token to sign the server certificate. From the Key Management Menu or Token Management Menu, select 1 - Manage keys and certificates to display the Key and Certificate List. From the Key and Certificate List, select a CA certificate by entering the appropriate selection number, and then choose option 10 to create a signed certificate and key. This requires the displayed certificate to contain an RSA or a DSA key and have signing capability.

Select "User or server certificate" by choosing option 2 in the Certificate Usage menu, followed by option 4 - Certificate with a Diffie-Hellman key in the Certificate Key Algorithm menu, and then select the Diffie-Hellman key size. The key size must match the key size of the key parameters created previously.

When the certificate type is determined, you are prompted to enter:
  • Key parameter file created previously.
  • A label to uniquely identify the key and certificate within the key database.
  • The individual fields within the subject name.
  • Certificate expiration (Valid expiration range is 1 to 9999 days. Default value is 365 days).
  • The subject alternate names (optional).
Figure 2. Creating a certificate to be used with Diffie_Hellman
       Certificate Usage

   1 – CA certificate
   2 – User or server certificate 

Select certificate usage (press ENTER to return to menu): 2 <enter>

       Certificate Key Algorithm

   1 - Certificate with an RSA key
   2 - Certificate with a DSA key 
   3 - Certificate with an ECC key
   4 - Certificate with a Diffie-Hellman key

Select certificate key algorithm (press ENTER to return to menu): 4 <enter>

       Diffie-Hellman Key Size

   1 – 1024-bit key
   2 – 2048-bit key

Select key size (press ENTER to return to menu): 1 <enter>
Enter key parameter file name (press ENTER to return to menu):   dh_key_1024.keyfile <enter>
Enter label (press ENTER to return to menu):   DSA_cert_with_DH_1024_key <enter>
Enter subject name for certificate:
       Common name (required):   DSA cert with DH 1024 key <enter>
       Organizational unit (optional):   Test <enter>
       Organization (required):   Test <enter>
       City/Locality (optional):   Poughkeepsie <enter>
       State/Province (optional):   NY <enter>
       Country/Region (2 characters - required):   US <enter>
Enter number of days certificate will be valid (default 365):   5000 <enter>

Enter 1 to specify subject alternate names or 0 to continue:   0 <enter>

Please wait .....

Certificate created.

Press ENTER to continue.

When the certificate is created, the next step is to determine if the certificate must be transferred to another database. If the certificate does not need to reside elsewhere, you must determine whether the certificate should be marked as the database's default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate. If the certificate must be transferred, see Copying a certificate (and private key) to a different key database or z/OS PKCS #11 token for more information.

Parent topic: Managing keys and certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014