z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Creating a signed certificate and key

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Creating a signed certificate and key allows for a fast path method for creating a signed certificate that resides in the same key database file or z/OS® PKCS #11 token as the displayed signing Certificate Authority certificate. From the Key Management Menu or Token Management Menu, select 1 - Manage keys and certificates to display the Key and Certificate List or Token Key and Certificate List respectively. Find the label of the signing Certificate Authority certificate and enter the number associated with the label. From the Key and Certificate Menu or Token Key and Certificate Menu choose option 10 to create a signed certificate and key.

Note: This requires the displayed certificate to have signing capability.
The Certificate Usage menu appears, followed by menus to select the certificate key algorithm and key size (or ECC key type and EC named curve if ECC is selected as the certificate key algorithm. See Creating a signed ECC certificate and key.) Once these details are determined, you will be prompted to enter:
  • a label to uniquely identify the key and certificate within the key database or z/OS PKCS #11 token
  • the individual fields within the subject name
  • certificate expiration. The valid range for a self-signed certificate is 1 to 9999 days. The default is 365 days.
Figure 1. Enter Certificate Details
       Certificate Usage

   1 – CA certificate
   2 – User or server certificate 

Select certificate usage (press ENTER to return to menu): 2 <enter>

       Certificate Key Algorithm

   1 - Certificate with an RSA key
   2 - Certificate with a DSA key 
   3 - Certificate with an ECC key
   4 - Certificate with a Diffie-Hellman key

Select certificate key algorithm (press ENTER to return to menu): 1 <enter>

       RSA Key Size

   1 – 1024-bit key
   2 – 2048-bit key
   3 – 4096-bit key

Select RSA key size (press ENTER to return to menu): 1 <enter>
Enter label (press ENTER to return to menu): signedcert <enter>          
Enter subject name for certificate                            
  Common name (required): My signed Certificate <enter>                               
  Organizational unit (optional): ID <enter>                           
  Organization (required): IBM <enter>                               
  City/Locality (optional): Endicott <enter>                               
  State/Province (optional): NY <enter>                              
  Country/Region (2 characters - required): US <enter>              
Enter number of days certificate will be valid (default 365): 300 <enter> 
                                                              
Enter 1 to specify subject alternate names or 0 to continue: 1 
                                                             
Please wait .....
Press option 0 to continue or option 1 to specify the subject alternate names. If option 1 is selected, the Subject Alternate Name Type menu appears.
Figure 2. Subject Alternate Name Type
 Subject Alternate Name Type                                  
                                                                        
   1 - Directory name (DN)                                              
   2 - Domain name (DNS)                                                
   3 - E-mail address (SMTP)                                            
   4 - Network address (IP)                                             
   5 - Uniform resource identifier (URI)                                
                                                                        
Select subject alternate name type (press ENTER if name is complete): 1 <enter> 
Enter subject name for certificate                                      
  Common name (required): Test server <enter>                                             
  Organizational unit (optional): ID <enter>                                     
  Organization (required): IBM <enter>                                            
  City/Locality (optional): Endicott <enter>                                        
  State/Province (optional): NY <enter>  
  Country/Region (2 characters - required): US <enter>                       
                                                                     
       Subject Alternate Name Type                                   
                                                                     
   1 - Directory name (DN)                                           
   2 - Domain name (DNS)                                             
   3 - E-mail address (SMTP)                                         
   4 - Network address (IP)                                          
   5 - Uniform resource identifier (URI)                             
                                                                     
Select subject alternate name type (press ENTER if name is complete): <enter>
                                                                     
Please wait .....

When specifying subject alternate names, you are prompted for the type of the alternate name. After the alternate name type is determined, you will be prompted to enter:

  • the individual fields within the subject name.

After the individual fields are completed, enter option 0 to continue or option 1 to specify another subject alternate name (repeat the process).

Parent topic: Managing keys and certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014