Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
gsk_create_certification_request() z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
Creates a PKCS #10 certification request as described in PKCS #10, Version 1.7: Certification
Request.
Format
Parameters
ResultsThe function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
UsageThe gsk_create_certification_request() routine creates a PKCS #10 certification request. The request is then stored in the request database. The gsk_export_certification_request() routine can be called to create an export file containing the request for transmission to the certification authority. The gsk_create_certification_request() routine is similar to the gsk_create_renewal_request() routine. Both routines create a PKCS #10 certification request. The difference is the gsk_create_certification_request() routine generates a new public/private key pair while the gsk_create_renewal_request() routine uses the public/private key pair provided by the application. These
signature algorithms are supported:
When executing in FIPS mode, signature algorithms x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are not supported. If not in FIPS mode, an RSA key size must be between 512 and 4096 bits and will be rounded up to a multiple of 16 bits. A DSA key size must be between 512 and 2048 bits. Key sizes of between 512 and 1024 bits are rounded up to a multiple of 64, key size 2048 must be explicitly specified as such. A key size of 1024 or less should specify signature algorithm x509_alg_dsaWithSha1, while a key size of 2048 bits should specify either x509_alg_dsaWithSha224 or x509_alg_dsaWithSha256 as the signature algorithm. In FIPS mode, an RSA key size must be between 1024 and 4096 bits and will be rounded up to a multiple of 16 bits. A DSA key size must be either 1024 bits or 2048 bits. A key size of 1024 bits should specify signature algorithm x509_alg_dsaWithSha1, while a key size of 2048 bits should specify either x509_alg_dsaWithSha224 or x509_alg_dsaWithSha256 as the signature algorithm. For an ECC key the key size will determine the default named curve that will be used for the public/private key pair, as specified in Table 2. In FIPS mode, only NIST recommended that curves are supported. To specify a specific supported elliptic curve, use gsk_construct_renewal_request() to create a certificate request. The record label is used as a friendly name for the database entry. It can be any value and consists of characters which can be represented using 7-bit ASCII (letters, numbers, and punctuation). It may not be an empty string. The extensions parameter can be used to provide certificate extensions for inclusion in the certification request. Whether or not a particular certificate extension will be included in the new certificate is determined by the certification authority. The database must be open for update in order to add the new request. The database file is updated as part of the gsk_create_certification_request() processing. A temporary database file is created using the same name as the database file with ".new" appended to the name. The database file is then overwritten and the temporary database file is deleted. The temporary database file will not be deleted if an error occurs while rewriting the database file. |
Copyright IBM Corporation 1990, 2014
|