z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Receiving the signed certificate or renewal certificate

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

When a certificate is signed by the certificate authority in response to the certificate request, you must receive it into the key database or z/OS® PKCS #11 token. This is for new certificates and renewal certificates.

To receive the certificate, you must store the Base64-encoded certificate in a file on the z/OS system to be read in by the gskkyman utility. This file should be in the current working directory when gskkyman is started. If this file is on another working directory, you must specify the fully qualified name.

Note: To receive the certificate, the CA certificate must also exist in the key database or z/OS PKCS #11 token. To store a CA certificate, see Importing a certificate from a file as a trusted CA certificate.

To receive a certificate that is issued on your behalf, from the Key Management Menu or Token Management Menu, see Figure 4 and enter option 5.

Figure 1. Key Management Menu
       Key Management Menu                              
                                                        
       Database: /home/sufwl1/ssl_cmd/mykey.kdb
       Expiration Date: 2025/12/02  10:11:12          
                                                        
   1 - Manage keys and certificates                     
   2 - Manage certificates                              
   3 - Manage certificate requests                                              
   4 - Create new certificate request
   5 - Receive requested certificate or a renewal
       certificate    
   6 - Create a self-signed certificate                                         
   7 - Import a certificate                                                     
   8 - Import a certificate and a private key                                   
   9 - Show the default key                                                     
  10 - Store database password                                                  
  11 - Show database record length                                              
                                                                                
   0 - Exit program                                                             
                                                                                
Enter option number (press ENTER to return to
previous menu):  5 <enter>

Enter certificate file name (press ENTER to return
to menu):  signed.arm <enter>

Certificate received.                                                           
                                                                                
Press ENTER to continue.                                                        
 ===>
Figure 2. Token Management Menu
       Token Management Menu                                         
                                                                   
       Token: TOKENABC               

       Manufacturer:  z/OS PKCS11 API
       Model:  HCR77A0
       Flags:  0x00000509 (INITIALIZED,PROT AUTH
               PATH,USER PIN INIT,RNG)
                                                                          
   1 - Manage keys and certificates                                
   2 - Manage certificates                                         
   3 - Manage certificate requests                                 
   4 - Create new certificate request                              
   5 - Receive requested certificate or a renewal
       certificate                 
   6 - Create a self-signed certificate                            
   7 - Import a certificate                                        
   8 - Import a certificate and a private key                      
   9 - Show the default key                                        
  10 - Delete token                                     
                                                                     
   0 - Exit program                                                
                                                                   
Enter option number (press ENTER to return to
previous menu):  5 <enter>

Enter certificate file name (press ENTER to return
to menu):  signed.arm <enter>

Certificate received.                                                           
                                                                                
Press ENTER to continue.                                                        
 ===>

You are prompted for the name of the file that contains the Base64-encoded certificate that was returned to you by the certificate authority in response to a previously submitted certificate request (See Creating a certificate request). After you receive the certificate, press Enter to continue working with the Key Management Menu or Token Management Menu. Upon completion of this step and before the System SSL APIs using the certificate during the SSL handshake processing, you must determine whether the certificate should be marked as the database's default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate.

When received into a key database file, the certificate's expiration date should be monitored. When the expiration date is nearing (do not wait until it is expired), a new certificate should be obtained to replace the existing certificate. The new certificate can be a brand new certificate with new public/private keys or a renewal certificate where existing keys and certificate information is used. See Figure 2 for more information about a new or renewal certificate.

Parent topic: gskkyman interactive mode examples

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014