z/OS Cryptographic Services System SSL Programming
z/OS Cryptographic Services System SSL Programming
Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Importing a certificate from a file as a trusted CA certificate z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
If you are using a certificate authority for generating your certificates that are not one of the default certificate authorities for which certificates are already stored in the key database, or if you are using a z/OS® PKCS #11 token for which no default certificates exist, then you must import the certificate authority's certificate into your key database file or z/OS PKCS #11 token before you use the System SSL APIs. If you are using client authentication, then the CA certificate must be imported into the key database or z/OS PKCS #11 token of the server program. The client program's key database file or z/OS PKCS #11 token must have the CA certificate that is imported regardless of whether the SSL connection uses client authentication. If you are using a self-signed certificate as the SSL server program's certificate and your SSL client program is also using the System SSL APIs, then you must import the server's self-signed certificate without its private key into the client program's key database file or z/OS PKCS #11 token. If you are using a self-signed certificate as the SSL client program's certificate and your SSL server program is also using the System SSL APIs with client authentication requested, then you must import the client's self-signed certificate without its private key into the server program's key database file or z/OS PKCS #11 token. If the CA certificate that is being imported was signed by another CA certificate, the complete chain must be present in the key database file or z/OS PKCS #11 token before the import. If the CA certificates chain consists of more than one certificate and the certificates exist in individual files, you must import the certificates starting with the root CA certificate. If you are using a key database file, a number of well-known certificate authority (CA) certificates are stored in the key database when the key database is created. To get a certificate list, select 2 - Manage certificates from the Key Management Menu. The following figures contain lists of CAs for which certificates are stored on key database creation: Figure 1. Certificate List
(part 1)
Figure 2. Certificate List
(part 2)
Figure 3. Certificate List (part 3)
To import a certificate without a private key into your key database file or z/OS PKCS #11 token, first get the certificate in a file with the file in either Base64-encoded, Binary encoded or PKCS #7 format. From the Key Management Menu or the Token Management Menu enter 7 to import a certificate: Figure 4. Key Management Menu
Figure 5. Token Management Menu
You are prompted to enter the certificate file name and your choice of a unique label that are assigned to the certificate. When the certificate is imported, you receive a message that indicates the import was successful. The certificate is treated as "trusted" so that it can be used in verifying incoming certificates. For a program that is acting as an SSL server, this certificate is used during the verification of a client's certificate. For a program that is acting as an SSL client, this certificate is used to verify the server's certificate that is sent to the client during SSL handshake processing. 
|
 Copyright IBM Corporation 1990, 2014 |
