Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Receiving the signed certificate or renewal certificate z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
When a certificate is signed by the certificate authority in response to the certificate request, you must receive it into the key database or z/OS® PKCS #11 token. This is for new certificates and renewal certificates. To receive the certificate, you must store the Base64-encoded certificate in a file on the z/OS system to be read in by the gskkyman utility. This file should be in the current working directory when gskkyman is started. If this file is on another working directory, you must specify the fully qualified name. Note: To receive the certificate, the CA certificate must also exist
in the key database or z/OS PKCS
#11 token. To store a CA certificate, see Importing a certificate from a file as a trusted CA certificate.
To receive a certificate that is issued on your behalf, from the Key Management Menu or Token Management Menu, see Figure 4 and enter option 5. Figure 1. Key Management Menu
Figure 2. Token Management Menu
You are prompted for the name of the file that contains the Base64-encoded certificate that was returned to you by the certificate authority in response to a previously submitted certificate request (See Creating a certificate request). After you receive the certificate, press Enter to continue working with the Key Management Menu or Token Management Menu. Upon completion of this step and before the System SSL APIs using the certificate during the SSL handshake processing, you must determine whether the certificate should be marked as the database's default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate. When received into a key database file, the certificate's expiration date should be monitored. When the expiration date is nearing (do not wait until it is expired), a new certificate should be obtained to replace the existing certificate. The new certificate can be a brand new certificate with new public/private keys or a renewal certificate where existing keys and certificate information is used. See Figure 2 for more information about a new or renewal certificate. |
Copyright IBM Corporation 1990, 2014
|