Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Creating a self-signed server or client certificate z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
If your organization does not use a certificate authority (within the organization or outside the organization), a self-signed certificate can be generated for use by the program acting as an SSL server or client. In addition, since root CA certificates are also self-signed certificates that are permitted to be used to sign other certificates (certificate requests), these procedures can also be used to create a root CA certificate. See Marking a certificate (and private key) as the default certificate. Programs acting as SSL servers (i.e. acting as the server side of the SSL handshake protocol) must have a certificate to use during the handshake protocol. A program acting as an SSL client requires a certificate when the SSL server requests client authentication as part of the SSL handshake. Note: This is not suggested for production environments and should
only be used to facilitate test environments before production. Self-signed
certificates do not imply any level of security or authenticity of
the certificate because, as their name implies, they are signed by
the same key that is contained in the certificate. However, certificates
that are signed by a certificate authority indicate that, at least
at the time of signature, the certificate authority approved the information
contained in the certificate.
Note: gskkyman supports the creation of X.509 Version 3 certificates.
When creating a self-signed certificate to be used to identify a server or client, from the Key Management Menu or Token Management Menu, enter 6. You are prompted for a number of items to define the certificate, including the intended use of the certificate, the key algorithm and key size, and possibly the digest algorithm for the certificate signature. Figure 1. Key Management Menu
Figure 2. Token Management Menu
Certificates that are intended to be used directly by a server or client are considered to be end user certificates. Certificates intended to be used to sign other certificates are considered to be CA certificates. RSA key certificates are the most common. DSA key certificates represent certificates that follow the FIPS-186 government standard. ECC key certificates represent certificates that use Elliptic Curve Cryptography. The larger the key size, the more secure the generated key will be. Note that CPU usage increases as the key size increases. If an RSA-based certificate is selected, you will be prompted to select the key size and the digest type for the signature algorithm. See Figure 3 for an example of selecting the key size and digest type. If a 1024-bit DSA certificate is selected, SHA-1 will be used for the signature algorithm. If a 2048-bit DSA certificate is selected, you will be prompted to select the digest type for the signature algorithm from a list of SHA-based digest types. If an ECC certificate is selected, you will be prompted to select the ECC key type and curve type. The suggested digest for the key size of the ECC key will be used for the signature algorithm, as specified in Table 1. See Creating a signed ECC certificate and key for more information. Once the certificate type and signature algorithm is determined, you will be prompted to enter:
Figure 3 shows the creation of a self-signed certificate to be used as a server or client certificate in a key database file or z/OS® PKCS #11 token. Figure 3. Creating a Self-Signed
Certificate
Once the certificate is created, the next step is to determine whether the certificate should be marked as the database's or z/OS PKCS #11 tokens default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate. In order for the SSL handshake to successfully validate the use of the self-signed certificates, the partner application needs to know about the signer of the certificate. For self-signed certificates, this means that the self-signed certificate must be imported into the partner's database or z/OS PKCS #11 token. For more information about importing certificates, see Importing a certificate from a file as a trusted CA certificate. |
Copyright IBM Corporation 1990, 2014
|