z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Manage Keys and Certificates

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

This option manages certificates with private keys. A list of key labels is displayed. Pressing the ENTER key without making a selection will display the next set of labels. Selecting one of the label numbers will display this menu:

Figure 1. Key and Certificate Menu
                                                                                
       Key and Certificate Menu                                                 
                                                                                
       Label: Certificate_label_name                                                            
                                                                                
   1 - Show certificate information                                             
   2 - Show key information                                                     
   3 - Set key as default                                                       
   4 - Set certificate trust status                                             
   5 - Copy certificate and key to another 
       database/token                             
   6 - Export certificate to a file                                             
   7 - Export certificate and key to a file                                     
   8 - Delete certificate and key                                               
   9 - Change label 
  10 - Create a signed certificate and key
  11 - Create a certificate renewal request                                                            
                                                                                
   0 - Exit program                                                             
                                                                                
Enter option number (press ENTER to return to
previous menu):                   
 ===>
Figure 2. Key and Certificate Menu
       Token Key and Certificate Menu

       Label: Certificate_label_name  

   1 - Show certificate information
   2 - Show key information
   3 - Set key as default
   4 - Set certificate trust status
   5 - Copy certificate and key to another
       database/token
   6 - Export certificate to a file
   7 - Export certificate and key to a file
   8 - Delete certificate and key
   9 - Change label
  10 - Create a signed certificate and key
  11 - Create a certificate renewal request
  
   0 - Exit program

Enter option number (press ENTER to return to
previous menu):
===>
Show certificate information
This option displays information about the X.509 certificate associated with the private key.
Show key information
This option displays information about the private key.
Set key as default
This option makes the current key the default key for the database.
Set certificate trust status
This option sets or resets the trusted status for the X.509 certificate. A certificate cannot be used for authentication unless it is trusted.
Note: All z/OS® PKCS #11 token certificates are automatically created with the status set to trusted. Changing of the trust status is not supported for z/OS PKCS #11 token certificates.
Copy certificate and key to another database/token
This option copies the certificate and key to another token or a database. An error is returned if the certificate is already in the token/database or if the label is not unique. A certificate and key may only be copied into a FIPS mode database from another FIPS mode database. A certificate and key may not be copied from a non-FIPS mode database or a PKCS #11 token to a FIPS mode database.
Export certificate to a file
This option exports just the X.509 certificate to a file. The supported export formats are ASN.1 Distinguished Encoding Rules (DER) and PKCS #7 (Cryptographic Message Syntax)
Export certificate and key to a file
This option exports the X.509 certificate and its private key to a file. The private key is encrypted when it is written to the file. The password you select will be needed when you import the file. The supported export formats for a key database file are PKCS #12 Version 1 (obsoleted) and PKCS #12 Version 3. For z/OS PKCS #11 tokens and FIPS mode databases, the export format supported is PKCS #12 Version 3. The strong encryption option uses Triple DES to encrypt the private key while the export encryption option uses 40-bit RC2. Strong encryption is the only supported option when exporting from a FIPS database. The export file will contain the requested certificate and its certification chain.
Delete certificate and key
The certificate and its associated private key are deleted.
Change label
This option will change the label for the database record.
Create a signed certificate and key
This option will create a new certificate and associated public/private key pair. The new certificate will be signed using the certificate in the current record and then stored in either the key database file or z/OS PKCS #11 token.

DSS and DH key generation parameters must be compatible with the requested key type and key size.

Keys are in the same domain if they have the same set of key generation parameters. See FIPS 186-2: DIGITAL SIGNATURE STANDARD (DSS) and RFC 2631: Diffie-Hellman Key Agreement Method for more information about the key generation parameters. The subject name and one or more subject alternate names can be specified for the new certificate.

The subject name is always an X.500 directory name while a subject alternate name can be an X.500 directory name, a domain name, an email address, an IP address, or a uniform resource identifier. An X.500 directory name consists of common name, organization, and country attributes with optional organizational unit, city/locality, and state/province attributes. A domain name is one or more tokens separated by periods. An email address consists of a user name and a domain name separated by '@'. An IP address is an IPv4 address (nnn.nnn.nnn.nnn) or an IPv6 address (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn). A uniform resource identifier consists of a scheme name, a domain name, and a scheme-specific portion.

The signature algorithm used when signing the certificate is derived from the key algorithm of the signing certificate and the following digest type:
  • For RSA signatures, the digest type matches that used in the signature algorithm of the signing certificate. If the digest type is not a SHA-based digest, then SHA-1 is used.
  • For DSA signatures using a 1024-bit DSA key, the digest type is SHA-1. When using a 2048-bit DSA key, the user is offered a choice of SHA-2 digest algorithms.
  • For ECC Signatures, the digest type is the suggested digest for the key size of the ECC private key, as specified in Table 1.
Possible signature algorithms are:
  • x509_alg_sha1WithRsaEncryption
  • x509_alg_sha224WithRsaEncryption
  • x509_alg_sha256WithRsaEncryption
  • x509_alg_sha384WithRsaEncryption
  • x509_alg_sha512WithRsaEncryption
  • x509_alg_dsaWithSha1
  • x509_alg_dsaWithSha224
  • x509_alg_dsaWithSha256
  • x509_alg_ecdsaWithSha256
  • x509_alg_ecdsaWithSha384
  • x509_alg_ecdsaWithSha512
Create a certificate renewal request
This option will create a certification request using the subject name and public/private key pair from an existing certificate. The certificate request will be exported to a file in Base64 format. This file can then be sent to a certification authority for processing. The certificate returned by the certification authority can then be processed using option 5 (Receive requested certificate or a renewal certificate) on the Key Management Menu or Token Management Menu. The new certificate will replace the existing certificate.
Parent topic: Key Management menu/Token management menu

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014